Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security

Healthcare Provider Expected To Lose $106.8 Million Following Ransomware Attack (therecord.media) 45

An anonymous reader quotes a report from The Record: Scripps Health, a California-based nonprofit healthcare provider that runs five hospitals and 19 outpatient facilities, said it expects to lose an estimated $106.8 million following a ransomware attack that hit the organization in May 2021. The bulk of the losses, representing $91.6 million, came from lost revenues during the four weeks the organization needed to recover from the May ransomware attack. Scripps also lost $21.1 million in costs associated with response and recovery. While the company said it recovered $5.9 million through its insurance policy, the healthcare provider said it expects to lose an estimated $106.8 million by the end of the year. The losses stemming from the ransomware attack do not include potential losses due to litigation.

Following the attack, several patient groups also filed class-action lawsuits against the organization for failing to protect their data after the organization revealed that the hackers also stole data on roughly 150,000 patients before they encrypted the healthcare provider's servers. The attack, while it did not get the same national coverage in the US as the ones on Colonial Pipeline, JBS Foods, and Kaseya, was one of the most impactful of the year, with Scripps being unable to access its web portal, patient medical records, and provide some patient services for four weeks, during which time staff had to redirect patients to other hospitals, which eventually resulted in the $91.6 million in lost revenue.

This discussion has been archived. No new comments can be posted.

Healthcare Provider Expected To Lose $106.8 Million Following Ransomware Attack

Comments Filter:
  • by Revek ( 133289 ) on Wednesday August 18, 2021 @08:09AM (#61704337)
    Lets face it they will just increase their rates and reduce coverage. There is no way they will take the hit for their incompetence. They will just pass it on.
    • People can then use those "other hospitals" they directed patients to.

    • Lets face it they will just increase their rates and reduce coverage. There is no way they will take the hit for their incompetence. They will just pass it on.

      It's Scripps Health. They are good at doing exactly that.

    • It'll be interesting to see if executives collect on bonuses this quarter.

  • Look at the situation, first you have to get corporations to realize it can happen to them, then you have to get them to actually budget the however-many-millions it will cost to unfuck their long-neglected IT infrastructure from a security standpoint, which is harder to do apparently than getting them to open their wallets after they fuck up. And then you have to consider the limited number of qualified IT security professionals available, and the difficulty of wading through the hordes of incompetents who think they are qualified to find the ones who can actually do the job.

    Realistically there is physically no way to solve this problem on a short time scale.

    • Perfect computer security is a fantasy. Personally I think removing the incentive by shutting down the means for untraceable payments might be more promising. Untraceably sending around millions of dollars is a potential with more harm than good.
      • Personally I think removing the incentive by shutting down the means for untraceable payments might be more promising.

        If you shut down crypto all you will do is change where the money goes to the countries that willfully shelter these criminals, like Russia. We really don't need to be funding Russian disinformation programs.

        • making crime easier and more broadly accessible doesn't make organized crime and kleptocracy go away.

      • Personally I think removing the incentive by shutting down the means for untraceable payments might be more promising. Untraceably sending around millions of dollars is a potential with more harm than good.

        Goshwillikins, we couldn't do that! Investors might have to start putting their money into something that actually produces economic benefits.

      • Perfect computer security is a fantasy.

        False. NASA has shown that unexploitable software is possible. They do find about one bug for 425K LoC but they are so niche that they aren't exploitable.

        • NASA has shown that unexploitable software is possible

          Even taking that as a given, the real question is whether or not it is practical.

          • Ransomware always seems to hit really soft targets, so yeah, spending a few million on software security would save them... $100M more. Much like escaping a bear requires only you be faster than the other fool, you don't need perfect software, just software that is more secure than the other guy.

            • There's not one bear, and one target. There's a whole world full of people motivated to carry off an attack, and you don't just have to escape once, you have to escape constantly. And the automated tools keep getting better and more available.

              • Right on all counts. From what I can tell, most issues aren't with the actual software but with the configuration of the software. Perfect is the enemy of good and you just need good security to criminals at bay. Ransomware is sometimes used as a cover for nation-state attacks but you need something of value for them to target you in the first place.

      • by Pascoea ( 968200 )
        That's some expert-level trolling. Well played.
    • Look at the situation, first you have to get corporations to realize it can happen to them, then you have to get them to actually budget the however-many-millions it will cost to unfuck their long-neglected IT infrastructure from a security standpoint, which is harder to do apparently than getting them to open their wallets after they fuck up.

      If all these companies that are giving people's physical data and financial data and credit card numbers away haven't figured it out by now, I'm wary that they ever will.

      I imagine the CFO comparing the cost of paying the ransom, and implementing actual security, and reporting that in servicing the stakeholders, it is more effective to just pay the ransom.

      Maybe huge fines to remove that incentive? Criminalization won't work, because they'll just fire the night custodian and the people that cause the prob

      • Its very simple: the CxOs need to be jailed for criminal negligence - along with any IT contractors who did not request signed documents absolving them from the consequences of using Windows for anything other than gaming.

        Windows is for Personal Computers, not corporate ones.

        • by jabuzz ( 182671 )

          Nah just make it a 12 month minimum sentence for paying a ransom or being involved in paying a ransom. Further a 10 year ban on holding a board level or equivalent post in *ANY* company and sack from current job with no options and no golden handshake. Six months if you are aware someone is paying a ransom and don't report it to the authorities.

          Get that implemented in the G7 plus EU and problem will go away. No point in trying to get a people to pay a ransom when no sane person is willing to pay.

        • Its very simple: the CxOs need to be jailed for criminal negligence - along with any IT contractors who did not request signed documents absolving them from the consequences of using Windows for anything other than gaming.

          Windows is for Personal Computers, not corporate ones.

          But you know that won't happen. About the only time higher ups were ever prosecuted was in the Enron case. In that case, the people are the top were sociopaths. That's why I suggested fines that would make it make more financial sense to actually implement some security.

          As for ditching Windows - yeah, that would help. But that's going to be difficult to ditch. Good IT with a CIO who has the actual power to implement security measures will go a long way, even with Windows. The sort of power that the CIO

        • by mspohr ( 589790 )

          Shouldn't corporate use of Windows be de facto evidence of incompetence?

    • by gweihir ( 88907 )

      It is not quite that bad. There are a lot of quick-wins, for example reasonably protected backups (offline, cloud WORM storage). For very small companies, this can get as simple as USB-drives that are unplugged after backup. There can also be legal requirements for companies to implement minimum requirements or get fined a lot more than implementing them would have cost. And there can be legal prohibitions against paying the attackers.

      I do agree that this problem will be with us for a while, but in a decad

  • by bumblebees ( 1262534 ) on Wednesday August 18, 2021 @08:56AM (#61704485)
    If they would learn the lesson and put even a smal portion of that sum on IT security, but alass that is probibly to much to wish for by the MBA's that are running things
    • It's certainly by class action suits making insurance companies miserable, to the point where they start to demand decent standards, and threatening to refuse payouts when they're breached that change could come.

  • And lots more but of course when it it free no one is interested Free Pet Rocks [genolve.com]
    • And posted on the wrong story by: banner ad appearing and pushing down links just as I was clicking
  • I'm always amazed at how these places invoke HIPPA for everything, but turn around and simply give everyone's information away.

    HIPPA's only use now is for the person behind the reception desk to invoke as a way to avoid work.

    • by Anonymous Coward

      HIPAA only applies to the little guy. You know, the guy who gets blamed for a breach and goes to jail, while at most, HHS does a wrist slap on the organization. Just like with any regulations, some cash can always buy one out of them.

      • HIPAA only applies to the little guy. You know, the guy who gets blamed for a breach and goes to jail, while at most, HHS does a wrist slap on the organization. Just like with any regulations, some cash can always buy one out of them.

        +5 either insightful or informative 8^)

    • I've always been amazed that Slashdotters can't get the HIPAA acronym right. All you have to remember is "no, not like a hippo"

      • I've always been amazed that Slashdotters can't get the HIPAA acronym right. All you have to remember is "no, not like a hippo"

        It's a tough job, but someone has to correct us.

  • by Joe_Dragon ( 2206452 ) on Wednesday August 18, 2021 @09:23AM (#61704559)

    hospitals have lot's of 3rd party vendor systems that.
    The hospital can't manage
    Some times can't run os updates on
    Need remote access open so that the 3rd party vendor can log into them from out the side the hospital.
    Some times are on way out of date OS's.
    etc

    • by Anne Thwacks ( 531696 ) on Wednesday August 18, 2021 @09:49AM (#61704633)
      Or, in non technical terms:

      Are staffed by people not fit for the job.

      • Or, in non technical terms:
        Are staffed by people not fit for the job.

        The world changed and no one understood.

        Scientia potentia est. That sentiment exists in written form at least as far back as the Hebrew Ketuvim and the understanding is undoubtedly far older than that. Knowledge is power and that is directly manifest in business. The data accumulated by a business is the foundation of its data-information-knowledge-wisdom pyramid, the proverbial keys to the kingdom. Formerly that data existed solely on sheets of paper and in people's heads. Stealing it was exceedingly

    • hospitals have lot's of 3rd party vendor systems that need remote access open so that the 3rd party vendor can log into them from out the side the hospital.

      No hospital should ever buy equipment with such a requirement. And yes, they can damn well do better. They can demand better. They are the ones spending millions to buy these PC-driven machines. They are perfectly capable of setting minimum purchase standards at a national association level.

      They have yet to figure out that they need to.

  • I've always been baffled by ransomware working at all. Everything I ever built, I could wipe and restore from backup in hours. Yes, lose some recent transactions, but my backups always ran at lunch and coffee breaks, never more than two hours at risk. (Yes, I was running pretty basic systems, one database, one directory of data files, one directory of code...but can't that scale?)

    "Cloud" always made me think of all applications running on really standard services, just spin up a out-of-the-box Oracle d

  • Write-once media based incremental backup is inexpensive and easy to deploy.

    There is no excuse for being susceptible to randsomware.

    Also stop using PCs lacking over-the-air operating reinstallation.

Whoever dies with the most toys wins.

Working...