Propel provides innovative insurance solutions to thousands of companies across the country. We make it our business to know your world inside and out.
Claims & Risk Management, Cyber Security, Management Liability
Hospital Caves In and Pays Cyber Ransom
At the end of the day on Friday, February 5th, 2016, employees of Hollywood Presbyterian Medical Center in Los Angeles started having computer problems. Soon it was clear that it wasn’t just a routine computer crash – malicious software was to blame and a cyber ransom was due.
A number of the computers were completely frozen, and the only way to regain access was to pay a ransom. The hackers demanded 40 “bitcoin” which is a new method of payment favored by hackers that operates outside of the traditional banking system. In U.S. dollars, it was about $17,000.
Unfortunately for the hospital, initial reports suggested that the hackers demanded 9,000 bitcoin, which is more than $3 million. This got the attention of the media – Washington Post, Forbes, CBS – so not only did the hospital have a technology mess, they had a public relations mess, too. The fears of the patients and their families, that this situation could lead to mistakes, were real. So when the hospital provided a formal statement about this event, exactly twelve days later, the second and third sentence of the statement assured the public that patient care had not been compromised.
The fourth sentence asserted that there was “no evidence” that patient information had been breached. This was likely a nod to HIPAA regulations. If Protected Health Information (“PHI”) had, in fact, been breached, federal law would have required that the hospital notify each affected patient.
The hospital also noted that it had engaged unnamed “computer experts” – likely a firm specializing in cyber forensic investigations and data recovery – to determine whether any data was lost or viewed without authorization.
So it is safe to assume that the hospital incurred at least four varieties of costs and possibly others, as follows:
- The ransom itself of $17,000
- Consulting fees from a public relations firm
- Computer expert consulting fees
- Legal fees to determine the applicability of HIPAA regulations
These attacks have become more and more common, so much so that there’s now specialized terminology to describe them. Once “ransomware” infects your computer, it freezes it with a “lock screen.” To regain access to your files, you must pay the ransom to receive the “decryption key”. This can, and does, happen to all types of businesses. A swift response is critical.
Hollywood Presbyterian reacted quickly, issuing a formal statement within two weeks of the event. Although it is debatable whether or not paying a ransom was the responsible choice, it appears to have worked. Their decisive response is was likely in the best interests of the patients, at least for the time being (unless or until they suffer another such attack).
The total cost of this response may have been much higher than just the $17,000 paid in ransom. It is important to know that all of those costs – legal, public relations, computer forensics, even the ransom itself – can be covered by a properly crafted Cyber Liability policy. Perhaps even more important is that an insurance-provided Breach Response Coach can be deployed to coordinate these various resources. The use of a Coach accelerates the response, reduces the potential liability and alleviates the drain on company resources.
Here at Propel we call that CyberSmart® Insurance. Contact us for details.