Recent Cyberattacks on Health Care and the Consequences
By Judith Beach 
According to a study from January 2016 to December 2021,[1] 374 ransomware attacks on U.S. health care delivery organizations exposed the Protected Health Information (PHI) of nearly 42 million patients. The cybercriminals demand ransom to unencrypt the exfiltrated medical data, and, as such, create a direct threat to public health and safety. In addition, if the facility refuses to pay, some hackers have started posting the sensitive health data on the dark web. Moreover, some of the breached facilities are being sued on behalf of the patients whose data was compromised. Consequently, these recent cyberattacks on health care have significantly increased the cost of cyber insurance. Here are a few examples of recent cyberattacks in health care.
French Hospital, Hospital Centre of Versailles, Suspends Operations after Cyberattacks (December 2022)
In December 2022, France’s Health Minister, Francois Braun, reported that a French hospital complex in Versailles, near Paris, had to cancel operations and transfer some patients after being hit by a cyberattack …”[2] The Hospital Centre of Versailles – which consists of Andre-Mignot Hospital, Richaud Hospital and the Despagne Retirement Home – was affected by the hacking attempt, said the complex’s management. Telephone communications, internet and all computer systems were cut off. The regional health agency (ARS) said the Andre-Mignot Hospital had cancelled operations but was doing everything possible to keep walk-in services and consultations running. However, the facility was forced to transfer some patients from its intensive care unit to nearby hospitals.
The group of hackers behind the attack demanded a ransom, according to Richard Delepierre, co-chairman of the establishment’s supervisory board. He told the local press that there was no intention to pay it. The hospital filed a formal complaint and the prosecutor’s office is leading an investigation into the extortion attempt.
In addition, another hospital in Paris, Centre Hospitalier Sud Francilien (CHSF), had a crippling ransomware attack in August 2022 with a demand of $10 million to restore the encrypted files. As the hospital refused to pay the ransom, the attackers published the exfiltrated data on the hackers’ site.[3]
CommonSpirit Health (October 2022)
CommonSpirit (Chicago) is the second largest not-for-profit healthcare system in the United States with 142 hospitals and 2200 sites of care within 21 states, accessible to one out of four Americans. In October 2022, CommonSpirit Health characterized the interruption of IT services across several of its hospitals as a ransomware attack. As a precautionary step, certain IT systems were taken offline, which included electronic health records (EHR) and other systems.
As a consequence of the ransomware breach involving 600,000 patients, a class-action suit alleging negligence was filed against them on December 29, 2022.[4][5]
Rehoboth McKinley Christian Health Care Services (February 2021; Proposed Settlement Hearing May 2023)
A February 2021 breach of Rehoboth McKinley Christian Health Care Services, a New Mexico health care provider, exposed health information of 191,000 patients. Victims may receive up to $4,000 each to cover out-of-pocket and extraordinary expenses.
Alicia Charlie and her co-plaintiffs alleged the New Mexico health care provider failed to take adequate precautions to guard against a cyberattack that exposed the personal health information of just over 191,000 people. They say they face an increased risk of identity theft and fraud because of the breach and have received an increased number of scam phone calls. Magistrate Judge Steven C. Yarbrough of the U.S. District Court for the District of New Mexico trimmed the suit in April 2022, but refused to dismiss some claims, ruling that Rehoboth had a duty of care to protect customer data.
Final approval hearing of the following proposed settlement is set for May 24, 2023.
The proposed settlement would provide reimbursement of up to $500 in out-of-pocket expenses per class member, including up to four hours of lost time at $15 per hour.
Class members who were victims of documented identity theft resulting from the breach would be eligible for up to $3,500 in additional reimbursement. All class members would also be eligible for two years of credit monitoring services under the settlement terms. Attorneys’ fees and costs would be capped at $300,000, and the four named plaintiffs would receive $2,500 in service awards. Rehoboth already has provided equitable relief in the form of security improvements aimed at improving protection of patients’ personal information in the future, the settlement said. [6]
[1] JAMA Health Forum [(2022; 3(12): e224873]
[2] France 24 issued on December 5, 2022.
[3] “Hackers leak French hospital patient data in ransom fight.” September 27, 2022.
[4] “CommonSpirit Health sued over data breach involving 600,000 patients,” January 4, 2023.
[6] Charlie v. Rehoboth McKinley Christian Health Care Servs. D.N.M., No. 1:21-cv-00652, January 9, 2023.