Cause & Impact: A Case Study Review of an Actual Cyber Attack Crime Scene

Medicus IT

By Medicus IT

As the healthcare industry continues to provide life-saving services with the most advanced technologies, cyber threat actors continue to look for opportunities to exploit the vulnerabilities that are associated with these changes. Organizations that lack network protection may find themselves the victim of healthcare data breaches.

In our webinar, Medicus IT (your healthcare IT solutions specialists) invited IT healthcare experts to review and discuss an actual cyber-attack. Tim Hebert, CRO at Medicus IT, Steve Losefsky, COO at Medicus IT, Gary Salman, CEO at Black Talon Security, and Brian Heun, Partner at KMRD Partners, broke down the details of the case, explored the reality of recent healthcare data breaches, identified the issues, and highlighted the key lessons learned from the incident.

#1 Reason for Data Breaches in Healthcare

The black market value of medical records stands at $250 on average, and patient medical records can sell for $1,000 on the dark web. Why are healthcare records so valuable? Healthcare records contain ample amounts of sensitive data or personally identifiable information that cannot be easily changed. 

When a person’s credit card gets stolen, it simply gets canceled and replaced, preventing any further risk. With healthcare information, different forms of personal information can be taken and there are multiple uses for this data. For example, it can be used to create false identities, commit healthcare fraud, illegally purchase prescriptions, get access to medical equipment, or create tax fraud. The many options make healthcare data valuable to cybercriminals and data breaches in healthcare more prevalent than most organizations realize.medicus it aerial view of laptop and digital lock icon ransomware attack in healthcare

Biggest Healthcare Data Breaches in 2021

Top 5 HPH Victim Sectors Impacted by Ransomware Globally 2021

  • Health or Medical Clinics
  • Healthcare Industry Services
  • Hospitals
  • Pharmaceutical 
  • Hospice Or Elderly Care

Source: Health and Human Services Department

It’s easy to assume that cyber criminals will only go after the big hospitals that have large databases of patient records and plenty of money to pay a ransom. However, the reality is that smaller organizations are being hit too. Hackers don’t hunt for specific victims. They are essentially casting a wide net and scouring for any opportunity to find any kind of healthcare organization with vulnerabilities in their network. If they stumble upon a healthcare entity, regardless of size, that has their network exposed incorrectly, they’re going to target them and hit them. 

Gary Salman, CEO at Black Talon Security says, “When we see them going after these entities, we see them as an accidental hit. When they realize it’s a healthcare entity they’ve come across, the alarms go off in those hacking groups because they realize the payout. They understand the healthcare laws in the US, and they know almost all healthcare entities that are victims of these attacks will pay the ransom.”

Execution of the Ransomware Attack

The victim is identified as a multi-provider healthcare facility and surgical center with 75 workstations and 12 servers, an onsite EMR software, onsite email server, and 44,000 patient records.

The entry point of the breach was during business hours. In many cases, there are alerts that go off at the managed service provider or IT company. In other cases, there are no indicators. It depends on the quality of the managed service provider and the tools that they’ve deployed in the environment. 

In this case, Medicus IT had tools that alerted end users. Medicus IT helped to quickly minimize the damage. Forensics was brought in to analyze the crime scene – similar to a detective or FBI agent arriving at a crime scene to gather evidence as quickly as possible. Because the victim is a healthcare entity and there are stringent state and federal laws that need to be followed, it is necessary to check first if patient data was accessed or stolen. 

It was determined that the healthcare entity was hit by a group known as Hello Kitty who was enforcing a triple threat extortion. Its methodologies include encryption of the data, stealing the data, posting data on the dark web, and sending the link back to the victim (if the healthcare entity refuses to pay). By sending the link, the hackers are showing evidence that they have the medical records and are ready to share them publicly. 

A user had their account compromised (most likely an employee may have fallen victim to a phishing email), which means literally punching their username and password to the network. Without the necessary technology to block the hackers, the system became vulnerable to attack.

Thankfully, the company had recoverable backups available which helped facilitate recovery. However, like any other healthcare entity, they had to pay the ransom to destroy stolen data and prevent it from being published.

medicus it chain wrapped around laptop with a stethoscope Cybersecurity for Healthcare

Impact of the Ransomware Attack


  • EMR down for 9 days
  • Email down for 3 days
  • 30 days to get all devices back online
  • Management Stress
    • Insurance, legal, IT, forensics, law enforcement 
    • Employee communications
    • Patient communications
    • Implementing paper processes
    • Planning for re-start
  • Inability to bill, process claims, review prior medical history, interact with labs, etc.


  • Notification to 44,000 patients
  • Managing subsequent patient inbound calls
  • Credit monitoring for employees 
  • Cash flow issues related to loss of business
  • Insurance claim management
  • Legal calls
  • OCR investigation and required responses 
  • Internal management team distractions

Lessons Learned:

  • “This won’t happen to me” is not a strategy
  • Have planned manual processes
  • Know how to restore data input once back online
  • Develop a communication plan without email or chat
  • Ensure thorough note taking during the incident
  • Review general and cyber liability insurance annually
  • Maintain ongoing understanding of attack surface to mitigate risk
  • Policies, procedures, and risk assessment are critical to managing OCR investigation

The right healthcare managed services provider can strengthen your health IT operations and security with a scalable strategic plan to help your practice successfully and safely navigate the future. Contact us today to ensure you are protected.

Medicus IT Cybersecurity CTA