A critical access hospital in southern Illinois was targeted by an unknown party with access to protected health information, who threatened to release more data unless a "substantial" ransom payment was made.

 

The 22-bed Clay County Hospital in Flora, Ill., notified its clinic patients that back on Nov. 2 the hospital received an anonymous email containing patient PHI. The email sender threatened to make the confidential information public unless they received a "substantial payment" from the hospital, CCH officials explained in a Dec. 15 notification letter to affected patients. 

 

Clay County Hospital officials immediately notified law enforcement, according to the notice. The compromised data included patients names, addresses, Social Security numbers and dates of birth. Following an investigation by external forensic experts, it was determined that hospital servers had not been hacked and "remain secure."

 

In order to prevent future incidents, Clay County Hospital is implementing extra internal security measures," officials wrote in the notice. "These include additional logging systems and auditing features to track and control data access."

 

This is far from an isolated incident involving holding protected health information hostage in order to receive payments. Rather, as the healthcare industry makes the switch from paper records to digital, these episodes are part of a larger upward trend. 

 

A similar event occurred back in August 2012 when another Illinois-based healthcare organization, The Surgeons of Lake County, reported that a hacker had broken into their servers, swiped electronic PHI, encrypted the data and then proceeded to post a ransom note demanding financial payment in exchange for the password to the data.