When Rehoboth McKinley Christian Health Care Services in Gallup, New Mexico, was hit with a cyberattack earlier this year, the hospital’s staff had to revert to pen and paper to keep things running.
Publicly available details about the hack are scarce, and the hospital has declined to comment beyond confirming that the security breach briefly forced its staff off its computers. But sensitive employee files posted online by a hacker group known for ransomware attacks and seen by NBC News indicated just how deep an attack the hospital had suffered: files on everything from job applications and background checks to staff injury reports.
Ransomware attacks, in which hackers gain access to a private system to hold it hostage for payment, have been a problem for businesses for more than three years. Some hospitals have poor cybersecurity, and unscrupulous gangs see them as potentially flush with cash and easily coerced with the threat of leaked patient data.
Last year, at least 560 health care facilities were infected with ransomware, according to a survey from the cybersecurity company Emsisoft. In October, amid a particularly brutal wave of attacks, several federal agencies issued warnings of “an increased and imminent cybercrime threat” to hospitals. An advisory from the American Hospital Association laid out how the Covid-19 pandemic had encouraged cybercriminals “to exploit, victimize and profit” from ransomware attacks.
The hacker group that breached Rehoboth stole sensitive employee files, such as job applications and background check authorizations that included Social Security numbers, and posted them to its website in an apparent attempt to extort the hospital for payment.
“Seems like there’s all kinds of unfortunate things happening at that hospital over the last year, with the pandemic and everything,” said Dr. Ravij Patel, a surgeon who left the hospital around the upheaval last year and who confirmed his information was posted online.
Rehoboth, a rural not-for-profit hospital that serves about 20,000 patients a year — a majority of them members of the Navajo Nation — was already in a difficult position. The only major nongovernment hospital in its region, Rehoboth fired its CEO last year after staffers accused him of mismanagement when it was understaffed and overrun with Covid-19 cases.
Patel, as well as three other people who had worked at or applied to the hospital whose private information was also among the files that the hackers posted all told NBC News that they had not been alerted to the incident or received any notice from the hospital.
“The idea is that if the victim won’t pay to decrypt their files, they will pay to avoid having those files widely shared,” Allan Liska, a ransomware analyst at the cybersecurity company Recorded Future, said. “Some industries, such as health care, are more sensitive to having files exposed than others.”
The hacker group did not respond to emailed questions. Earlier in February, the same gang published tens of thousands of patient medical records from two other American hospital chains it had attacked.
“Most ransomware actors now steal files,” Liska said. “When the victim refuses to pay, the ransomware group publishes the stolen files on their extortion site, what is commonly referred to as double extortion.”
It is not clear whether the hospital paid the ransom, but the hackers have since removed the Rehoboth files from their website, an indication that the hospital may have met their demands, he said.
“Recovery from a ransomware attack often requires negotiation with the ransomware actors,” Liska said. “Usually, when files appear on an extortion site and then disappear, it means a payment was made.”
Ina Burmeister, Rehoboth’s development director, declined to make any executives available for interviews or to answer specifics about the attack, including whether it had paid the ransom or how the hospital was dealing with the attack currently.
“With the guidance of outside cybersecurity experts, we have since implemented additional security measures,” she said in an email. “Although some of those measures have caused occasional slowdowns with our system, patient safety has remained our top priority during this time.”
Some of the leaked files include job applications, where nurses share their backgrounds and state that they’d like to start at $13.25 an hour. A few are workplace injury reports. One details an incident when an older nurse tripped on a power cable on the floor and hurt her knee.
And whether the hospital paid the ransomware hackers or not, the incident was another blow to a hospital that has already had trouble serving its population of Native Americans. Patel said the hospital is badly in need of an upgraded intensive care unit.
“The Navajo Nation at large is the size of a small state, but falls woefully short for its inhabitants in terms of access to specialty services, including ICU,” he said. “Any resources put towards building an ICU would probably be better than paying off a bunch of hackers.”