By Jeff Wardon, Jr., Assistant Editor

A ransomware attack on December 1 stalled operations across three of PIH Health’s hospitals as hackers stole reportedly up to 17 million patient records, including confidential medical and personal data.  During the attack, the hackers allegedly made negotiations in exchange for a decryption key. 

As a result of the cyberattack, a man from Whittier, California, is suing PIH for allegedly not keeping his confidential information safe from hackers, Pasadena Star-News reports. The lawsuit seeks unspecified damages for negligence, invasion of privacy and other complaints stemming from the ransomware attack. At the time of publication, PIH has yet to comment on the lawsuit. 

Ransomware attacks are costly to healthcare facilities, not only legally, but also in terms of their literal financial impacts, down time and reputational damage. 

According to The State of Ransomware in Healthcare 2024 published by Sophos, 65 percent of ransom demands were for $1 million or more, and 35 percent were for $5 million or more. The median payment was $1.5 million, and the average payment was $4.4 million out of 99 organizations surveyed that admitted to paying the ransom. 

Down time can hamper a healthcare facility’s operations or bring them to a standstill. According to a study from Comparitech, down time varied from minimal disruption to months long. On average, healthcare organizations lost nearly 14 days to down time, with each year varying from 2.6 days in 2018 to 18.71 days in 2023. 

However, not even a healthcare facility’s reputation can escape being damaged. An example of this is the Change Healthcare cyberattack, as Errol Weiss, chief security officer at Health-ISAC, previously told Healthcare Facilities Today. The cyberattack on Change Healthcare was because the organization hadn’t put multifactor authentication (MFA) in place to a remote desktop access portal, allowing attackers to use stolen credentials to access the organization’s systems. 

While Change Healthcare is a provider of revenue and payment cycle management, it’s a critical part of the healthcare supply chain. Regardless of a cyberattack hitting the supply chain or an actual facility, it will impact the quality of caregiving and overall operability of a healthcare facility. Eventually, this can erode the public’s trust and make their opinions toward healthcare organizations unfavorable. 

These costs can weather away at the public perception of healthcare if they aren’t addressed immediately. There are key areas healthcare organizations and facilities can focus on to protect themselves from cyberattacks and ransomware, according to Weiss: staying up to date on security patches, backing up systems and data, and using MFA. 

Jeff Wardon, Jr., is the assistant editor for the facilities market.