Hancock Regional Hospital back online after paying hackers $55,000

Hancock Regional Hospital has had its IT systems restored after paying off the hackers who infected its computers with ransomware known as ‘SamSam’.

In a press statement issued on Tuesday (16 January), the Indianapolis hospital said it had regained access to “critical systems” after working with the FBI and local cybersecurity firm Pondurance to transfer a bitcoin payment to the attackers.

A hospital spokesperson told Digital Health News four bitcoin comprising a total value of $55,000 (£40,000) had been transferred in exchange for the encryption keys to its computers.

Steve Long, CEO of Hancock Health, said the decision to pay off the hackers was made in order to regain control of its systems “in the quickest way possible and avoid extending the burden toward other hospitals of diverting patients”.

The hospital said that life-sustaining and support systems had remained unaffected during the attack, which happened late last week, and that forensic analysis suggested no patient data had been compromised.

The ensuing investigation revealed the point of entry to be a hospital server on which Microsoft’s Remote Desktop Protocol (RDP) service was enabled and accessible via the internet.

“Forensic analysis determined that an administrative account setup by a vendor of the hospital was compromised and used to gain unauthorised access to a specific system managed by that vendor,” the statement read.

Using this account, the hackers were able to mount an attack against a number of the hospital’s information systems, including its EPR and email client.

The hospital said that critical systems were restored and the hospital back online by Monday 15 January.