Columbia Surgical Specialists Data Breach (2019)

Columbia Surgical Specialists, which operates four medical offices in Spokane and Spokane Valley, says it paid hackers nearly $15,000 to decrypt patient information that was held hostage in a ransomware attack. In a two-page notice sent to patients Thursday, the company said it learned about the hack on Jan. 9 and “took immediate action to evaluate the extent and nature of the intrusion and to address the source as soon as the vulnerability was discovered.” The company said the compromised files may have included patients’ names, driver’s licenses, Social Security numbers and personal health information. “We received notice from the people that encrypted the files just a few hours before several patients were scheduled for surgeries, and they made it clear we would not have access to patient information until we paid a fee,” the company said. The doctors who own Columbia Surgical Specialists paid $14,649.09. “We quickly determined that the health and well-being of our patients was the number one concern,” the company said, “and when we made the payment they gave us the decryption key so we could immediately proceed, unlocking the data.” The company said its cybersecurity provider, Intrinium, analyzed its systems and “believes that no data was acquired, disclosed or used” by the hackers, though patient records were exposed during the attack. Columbia Surgical Specialists said it initially believed records of up to 400,000 patients may have been compromised, but “after further investigation, the actual number of potentially affected patients is substantially smaller.” The company’s statement didn’t say precisely how many patients might be at risk, nor did it say how the hackers made contact, how the doctors transferred the ransom money or what security measures were in place before the attack.