HIPAA Horror Stories

Malware Travels

one-minute read

You open your work laptop on your beach vacation and start to answer personal emails. Boom. A $50 million mistake.

When you return to work and log in a week later, the malware that crept on to your laptop on vacation travels out to the organization’s network. The entire network is infected and ultimately the organization becomes a ransomware victim. The malware came from an infected non-work email you received and opened.

This is what happened to the University of Vermont Medical Center (UVM) last October after an employee took a corporate laptop on vacation and used it for personal emails.

Nightmare Scenario Costs Tens of Millions

The attack first shut down the hospital’s applications. After two hours of investigating UVM’s IT team discovered a file with the attackers’ contact information and realized it was a ransomware attempt.

But the hospital decided not to contact the attackers and did not pay a ransom. Instead they cut off all internet connections to the hospital’s network to protect the data, leaving the health system to operate without access to most of its data for several weeks. They also contacted the FBI for their investigative help.

The malware traveled from one hacked email an employee received while on vacation, back through to more than 5,000 hospital computers and laptops and 1,300 servers at work. UVM had to wipe the computers, laptops and servers and then reinstall all data and software.

UVM furloughed or reassigned about 300 employees who were unable to perform their jobs while the systems were down. During the downtime UVM had to cancel or postpone some services, including elective procedures and cancer treatments. UVM estimates the total cost of the attack was $40 to $50 million, mostly in lost revenue. By the end of the year UVM had recovered from the attack. UVM executives said there is no evidence that any patient information was stolen or breached.

Security Improvements Can Help

Since the incident, UVM has taken security steps to combat future malware attacks. The IT department now sends out regular simulated phishing emails to employees in order to heighten awareness around the risk of phishing. If an employee clicks on it, the department provides immediate feedback to help them identify real phishing emails in the future.

The department has also blocked access to personal email on all work computers, installed anti-virus response software and advanced firewall protection, and restricted access to the corporate network.

Cybersecurity Lessons Learned

In healthcare electronic devices should only be used for healthcare purposes and not for personal matters. This includes desktop computers, laptops, tablets, servers, smartphones and USB drives; all electronic devices need to be inventoried and maintained by the organization’s IT staff, who can monitor and install software patches and updates as needed.

There are five simple steps you can take today to reduce your cybersecurity risks. It’s also critically important to do a thorough HIPAA Risk Analysis follow the Risk Management plan from that, and train the workforce in cybersecurity awareness.

The HIPAA E-Tool® makes compliance fast and easy. Get your free HIPAA Quick Start kit, complete with a webcam privacy guard, HIPAA Hot Zone labels and a HIPAA checklist delivered directly to your office.

Don’t become a HIPAA Horror Story! HIPAA compliance is easy, when you know the rules.

Request A Demo

Copyright © 2021 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Service | Privacy Policy

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

Office
8820 Ladue Road Suite 200
St. Louis, MO 63124

Free hipaa kit!

hipaa compliance Quick start kit
Delivered free