Cyber Criminals Force a Hospital To Pay a $55.000 Ransom

The latest attack on the Hancock Health hospital’s patient data only shows that some hackers are prepared to do anything to get their payment. Luckily, in this situation, the file-encrypting malware called SamSam Ransomware enciphered just the patient files and none of the equipment needed to diagnose the patients were affected. However, without accessing the mentioned data and in the middle of a terrible flu season, the institution made a decision to pay the ransom even though they could backup all enciphered files. According to the hospital’s authorities what made them agree to transfer the money was a possibility it could take days or even weeks to recover encrypted data and because of this, the institution could not function as it ought to. Naturally, such decision was probably the best option considering their patients’ health. On the other hand, computer security specialists are saying putting up with the cyber criminals’ demands might only encourage them to attack more companies in the future.


The reports say the attack on Hancock Health hospital in Greenfield, Indiana was initiated last Thursday (January 11, 2018). It is also said the institution’s systems were attacked by a file-encrypting threat known as SamSam Ransomware. Apparently, the malware was designed to encrypt only patients’ files that could be accessed through the hospital’s remote-access portal. Consequently, over 1.400 files were encrypted and renamed as “I’m sorry.” Moreover, after investigating the attack, it was discovered the malware entered the system after the hackers behind it gained access via an unauthorized username and password which allowed them to connect to the hospital’s remote-access portal and drop SamSam Ransomware. Therefore, unlike in many other cases when systems get infected with ransomware, this time it did not happen because someone opened some suspicious email attachment.


After the attack, the hospital’s nurses and doctors had to document medical patients’ records with pen and paper. Fortunately, it did not make a lot of inconveniences since such practices were still applied at the institution from time to time. As for the patients themselves, it is said most of them did not realize that anything was wrong, although at the time the files were encrypted the problem could have been noticed by patients who might have tried to visit the portal to see their medical records online. There were some suspicions the hackers might have not only encrypted medical records but also made copies or in other words stole them from the institution's servers, but after investigating the attack further, the specialists did not find any signs of such activities. The incident was reported to FBI as well, and they confirmed the hackers behind SamSam Ransomware are usually just after getting a payment and not stealing valuable information.


Furthermore, the ransom note displayed once the patient data got enciphered stated the Hancock Health hospital’s authorities have to pay 4 Bitcoins if they wish to decrypt such files. Before making a decision, the hospital’s leaders held a meeting with IT specialists to discuss the damage caused by SamSam Ransomware and figure out what can be done. As we explained in the beginning, they chose to pay the ransom. Hancock Health CEO, Steve Long, explained that such a decision was made not only because of the attacks caused inconveniences, but also because recovering files from backup could have taken a lot of time and probably would cost much more than the asked ransom (at the moment of paying the worth of 4 Bitcoins was around $55.000). The money was transferred on Sunday, and two hours later the hospital and patients were again able to access their medical files.


Nevertheless, while it is understandable it might have been the best choice from a business standpoint as the Hancock Health CEO commented, the computer security specialists worry such actions could encourage cyber criminals to disrupt work for other institutions and extort money from them in the future. In fact, the institution’s authorities believe this might be not the last time they are facing such a threat, although after the attack they made sure everything they can is being done to prevent it from happening again. It is the truth the number of ransomware applications is only increasing, and so it becomes more and more critical to have a backup both for companies and home users. As extra precautions, computer security specialists also advise securing devices with reputable antimalware software and staying away from suspicious data received from the Internet.


  1. Cyber Attack. The official website of Hancock Health hospital.
  2. Jessica Davis. Ransomware attack on Hancock Health drives providers to pen and paper. Healthcare IT News.
  3. Sam Quinn. Hospital pays $55.000 ransom; no patient data stolen. Daily Reporter.
  4. Hancock Health gets access to hacked computer systems back after paying ransom. FOX59.