A cybersecurity attack against the Texas Tech Health Sciences Centers (HSCs) in Lubbock and El Paso last year cost $2 million plus an unknown amount in lost revenue, LubbockLights.com learned in an open records request.
Part of that cost was insured (which we explain below).
Costs would include things like notifying more than 1.4 million consumers and hiring outside experts to investigate what data was lost or stolen in the cyberattack.
Lost revenue came after clinics were forced to close temporarily.
The HSCs did not use the word ransomware, but several technical journals said a known ransomware group called “Interlock” claimed responsibility. Interlock released screenshots claiming to have 2.1 million files of HSC data and offering to sell it.
“TTUHSC did not pay a ransom,” said an email from Ronny Wall, Texas Tech University System general counsel.
The email was part of the response to our open records request.
Background
In September, the two HSCs and University Medical Center (UMC) in Lubbock publicly disclosed cyberattacks that shut down normal operations. UMC paid a ransom to get its computer data back after the security breach, LubbockLights.com reported from multiple sources. Normal operations were back at UMC by November 22.
UMC’s insurance covered both the ransom and cost of recovery efforts except for a deductible.
Classes at the HSCs were canceled for a few days after the attack and some medical appointments were canceled or postponed. Online patient portals were mostly back up and running by October 31. But there were still computer issues as of November 14.
“The data has been recovered in such a way that operations can get back to normal,” said Wall’s email to LubbockLights.com.
Responding to a question as to whether internal policies or procedures were violated, Wall said, “No employees were investigated or disciplined. Further details about the attack cannot be disclosed.”
Insurance coverage
The Texas Tech University System (which includes the Health Sciences Centers) had an insurance policy with a $1 million “retention” which is similar to a deductible.
LubbockLights.com reached back to Wall for further clarification if the insurance claim was categorized as a ransomware event with a $500,000 limit. After this story was published, we received an update from Candace Norrod, a paralegal with the TTUS.
“For purposes of this cybersecurity event, the system and the component institutions have $1,000,000 in coverage once they collectively pay the $1,000,000 retention,” Norrod said.
For other kinds of computer breach events, the policy covered up to $5 million (with a $1 million retention to be paid by the HSCs).
The policy renewed in December going from $500,000 to a $1 million limit for ransomware events. The $1 million retention remained the same.
The previous policy, in place at the time of the attack, cost $389,000. The new one, starting in December, cost $403,750.
Reviewing what happened
In the open records request, LubbockLights.com sought a copy of the official notice from the HSCs to the U.S. Department of Health and Human Services Office for Civil Rights.
It said in part:
“TTUHSC took steps to ensure the security of the network and began an investigation … The investigation confirmed that a cybersecurity event caused the technology issues, resulting in access to or removal of certain files and folders from the TTUHSC network between September 17 and September 29, 2024.”
The cyberattack breached private information from 815,000 individuals at the El Paso HSC and 650,000 people at the one in Lubbock for a total of more than 1.4 million.
The HSCs data breach included:
- Name
- Date of birth
- Address
- Driver’s license number
- Government-issued identification number
- Health insurance information
- Medical information, including medical records number, billing/claims data and diagnosis and treatment information.
Who is the Interlock Ransomware Group?
A website called thehackernews.com wrote about the Interlock Ransomware Group in January.
“The Interlock ransomware group is a relatively recent but dangerous player in the world of cybercrime, known for employing double-extortion tactics,” thehackernews.com reported.
Interlock encrypts a victim’s data and threatens to sell sensitive information if a ransom is not paid.
“Their primary motivation is financial gain, and their methods are tailored to maximize pressure on their targets,” thehackernews.com reported.
The article said Interlock tries to trick people into clicking malware that is disguised as legitimate software.
“Victims unknowingly launch fake updaters, such as those mimicking Chrome, MSTeams, or Microsoft Edge installers, thinking they are performing routine maintenance. Instead, these downloads activate Remote Access Tools (RATs), which grant attackers full access to the infected system,” thehackernews.com reported.
Other online technology journals have reported similar facts about Interlock.
Clarification: The insurance policy is for the entire Texas Tech University System, which includes the Health Sciences Centers. This story was updated.
Please click here to support Lubbock Lights.
Comment, react or share on our Facebook post.
Facebook