Hackensack Meridian: We paid ransom to hackers to stop hospital cyber-attack

Michael L. Diamond | Asbury Park Press

Show Caption Hide Caption Ransomware has employers scrambling to stay online Hackers are getting into computer systems and demanding ransoms to turn over the keys.

Hackensack Meridian Health paid an undisclosed amount in ransom to stop a cyber-attack that has disrupted the hospital owner's computer network since it began last week, the company said Friday.

The Edison-based company said it had insurance to help cover the costs associated with cyber-attacks, including payment, remediation and recovery efforts.

"We believe it's our obligation to protect our communities' access to health care," it said in a statement.

MORE: Hackensack Meridian, hospitals face tough choice when hit by ransom attack

The health care system has $6 billion in annual revenue, more than 35,000 employees and 17 hospitals, including Jersey Shore University Medical Center in Neptune, Hackensack University Medical Center and JFK Medical Center in Edison.

[ The trusted place to find the best home service providers. Find local pros. ]

Locally, aside from Jersey Shore, it owns Riverview Medical Center in Red Bank; Bayshore Medical Center in Holmdel; Ocean Medical Center in Brick; and Southern Ocean Medical Center in Stafford.

The statement marked the first time the company confirmed it was the target of a ransom attack, a crime that has entangled other hospitals, businesses, municipalities and universities.

The attack on Hackensack Meridian began last week and brought down the computer network for two days, leaving hospitals to reschedule non-emergency surgeries and doctors and nurses scrambling to deliver care without access to electronic records.

Business danger: Asbury Park small business nearly killed by hacker; here's how

Cybersecurity: If your data is hacked, should you pay a ransom?

The impact wasn't confined to the hospitals — or employees. Suzanne Penna, 48, of Pine Beach, said she had an appointment in Toms River last Tuesday at 9:30 a.m. with a Hackensack Meridian doctor and didn't finish until 12:30 p.m.

Without information readily available online, she had to fill her doctor in on her medical history. She couldn't get her lab work done. And she had to take hand-scrawled prescriptions to her pharmacy, she said.

Ransomware attacks aren't "just money for corporations," she said. "It affects people's lives."

[ Keep up with our latest news by buying a digital subscription to APP.com and downloading our mobile app today. ]

In ransomware attacks, hackers lure workers with links that look far more legitimate than far-fetched phishing expeditions. If someone clicks on the link, hackers deliver software that allows them to encrypt data, making the computer network inaccessible.

Hackensack Meridian said Friday that it couldn't disclose the amount of the payment because of confidentiality agreements.

It said its primary clinical system is operational, but it is still working to bring other parts of the system back online.

Hackensack Meridian: Bayshore Medical Center's new emergency room twice as big as current ER

Hackensack Meridian: This Shore hospital has 100,000 bees on its roof

The company said it discovered the incident quickly and immediately notified the FBI, other law enforcement and regulatory authorities. It also talked to cyber-security and forensic experts.

It added its investigation so far has found no indication that any patient or employee information was subject to unauthorized access or disclosure.

The company previously said only that its computers were down because of "external technical issues." it said it couldn't disclose that it was a ransomware attack because of developments in the investigation and on advice of national experts.

This episode "makes it clear that even the best preparation may not prevent a successful attack," the company said in its statement.

Michael Diamond is a business reporter who has been writing about the New Jersey economy for 20 years. He can be reached at 732-643-4038; mdiamond@gannettnj.com; and @mdiamondapp.