Ransomware Attack Impacts 100+ Nursing Homes

By Art Gross, President and CEO, HIPAA Secure Now!
Twitter: @HIPAASecureNow
Read other articles by this author

“Doctor, How Bad Is It?”
“I’m not sure, I can’t access your medical records to tell you exactly what the prognosis is.” Recently, this is what Virtual Care Provider had to tell its clients; that the technology services that they were providing were on hacker hiatus. In other words, they were hit by a ransomware attack, and until they came up with $14 million in ransom, they were locked out by cybercriminals.

Virtual Care Provider, a Milwaukee-based company services more than 100 nursing homes all over the United States.

A letter that went out on November 18th, one day after the attack was discovered, informed clients that about 20% of their services were affected by a virus, requiring 100 servers to be rebuilt. At the same time, they were working to see what, if any, client data had been compromised.

Hold Security, hired by the company to investigate, found that Russian hackers had infected their computers over a span of 14 months via phishing attacks.

Is There a Doctor Cybersecurity Expert in the Room?
Unfortunately for all involved, Virtual Care Provider is unable to pay the ransom, leaving many nursing homes without access to patient records, blocked from using the internet, issue paychecks, or even dispense medications. At the forefront of resolution is addressing life-threatening situations, but how many facilities are going to find themselves unable to survive in the long run? This may also be true of facilities who depend on insurance reimbursements who are unable to bill insurance and Medicare at this time. These businesses too may not be able to run and survive the ransomware blow.

With the 2019 average ransom paid being around $36k, this is almost beyond the scope of comprehension for victims. But it falls in line with an increase in attacks directed at hospitals and government agencies, as hackers know that they cannot afford to NOT pay the ransom and are the most likely to respond to ransom requests.

Preventative Care Plan
The saying goes, when you know better, you do better. And surely this has to be the overwhelming case when it comes to preventative cyber health care for these targeted businesses. Having a strong HIPAA compliance plan isn’t having cybersecurity in place. The two must go hand in hand to prevent and protect. That includes hiring the right people – not just appointing an existing employee or person to oversee it internally and having cyber insurance to recover should an attack occur. And based on all the odds, it will likely occur.

This article was originally published on HIPAA Secure Now! and is republished here with permission. HIPAA Secure Now offers annual online subscriptions to help covered entities and business associates keep up with compliance. Learn more here.

HIPAA Secure Now! suite of subscriptions offers an extensive list of tools to provide ongoing training, assessment, moderation activities and more to support an organization’s privacy and security efforts. Subscriptions also support the process of conducting an annual Security Risk Assessment to meet MIPS and Promoting Interoperability requirements.

The subscriptions work for organizations of all sizes, both Covered Entities and Business Associates. All are priced at a flat annual fee, based on number of employees, for a full 12 months. All include a discount if purchased through us.


If your organization has more than 50 employees, or if you’d like to schedule a demo or you just want to get a couple questions answered, take a few seconds to complete this form and we will get back to you.