Hackensack Meridian Health Pays Attackers Ransom

The largest hospital system in New Jersey said it paid an extortion fee to hackers who had disrupted medical facilities with a ransomware attack.

A spokesperson for Hackensack Meridian Health, based in Edison, New Jersey said it was working to restore its computer systems following a Dec. 2 ransomware attack that forced administrators to cancel roughly 100 elective medical procedures. The nonprofit, which operates 17 clinics and hospitals, cautioned that no patients were harmed as a result of the attack.

It did not say how much it paid ransomware attackers to unlock medical systems which leaves many questions unanswered.

“We believe it’s our obligation to protect our communities’ access to health care,” the nonprofit said in a statement Dec. 13 2019.

Ransomware attacks typically begin with an email containing a malicious link or attached document that infects victims’ computers. Once inside, scammers seek to infiltrate more sensitive areas of the network, encrypting data or disabling services along the way. Then, they promise to unlock those systems only in exchange for a payment, usually in cryptocurrency.

Law enforcement officials and cybersecurity practitioners publicly advise victims against meeting ransomware demands, warning that payments make them a more appealing target for another attack and that there’s no guarantee hackers will unlock their system.

While the hospital network’s primary clinical care systems had started to resume normal functions by Friday, this incident is only the latest in a long spree of ransomware attacks against targets that are vulnerable because of their importance to society. The city of New Orleans, La. called a state of emergency Friday in response to a separate ransomware attack that forced municipal workers to turn off their computers. The New Orleans mayor instructed all city employees to report to work as normal on Monday.

It was the third time Louisiana officials declared a state of emergency related to ransomware in just months, while attackers also have hit towns in Florida, Texas, Nevada and elsewhere. The first high-profile ransomware attack against a hospital occurred in February 2016 against Hollywood Presbyterian Medical Center in California, when executives elected to pay $17,000 in bitcoin to regain access to their systems.