Further information about the Murfreesboro Medical Clinic & SurgiCenter ransomware attack has become available.
What happened
Murfreesboro Medical Clinic (MMC), which has seven locations and approximately 900 employees, was involved in a cyberattack in late April.
The breach was initially identified by MMC's IT team on April 24, 2023, but their investigation determined the attack occurred on or around April 22.
MMC could not verify if information had been stolen, but they found that the ransomware group had obtained significant access to data.
According to MMC, data that may have been stolen included names, dates of birth, addresses, full or partial Social Security numbers, medical and diagnostic information, procedure notes, insurance information, and more.
What's new
In mid-June, MMC released further details on the incident and reported that approximately 559,000 patient and employee information may have been stolen. MMC also said they were rebuilding their network with enhanced security features to reduce the possibility of future attacks.
Furthermore, according to a recent report, BianLian, a ransomware organization that emerged in 2022, took credit for the attack. On Monday, reporters found that MMC had been listed on BianLian's website, most likely in an attempt to pressure MMC into paying the ransom. The listing on BianLian's website disappeared soon after, and it's unclear if a ransom was paid.
What was said
In a statement, Joey Peay, the chief executive officer for MMC, said they would not be paying a ransom, "We refused to engage with them. Law enforcement and (legal) counsel advised us not to. It's the principle of the matter."
Refusing to pay ransoms is a growing strategy of healthcare organizations, with the goal of making ransomware attacks less destructive and less effective for ransomware organizations. Even so, ransomware attacks continue to have a significant effect on hospitals.
Why it matters
For MMC, the ransomware attack briefly upended their hospital's processes. Certain services, particularly their laboratory and radiology services, were closed for days, leading to patient delays and uncertainty. Apart from this, they also remodeled their security system, an extensive process.
MMC is far from the only medical center to face harsh repercussions from ransomware. Recently, two rural Illinois hospitals shut their doors, citing financial difficulties–including the effects of a ransomware attack–were to blame.
Read more: Rural Illinois hospitals set to close after ransomware attack
What's next
Furthermore, a recent report details that ransom attacks continue to grow in sophistication, requiring steadfast diligence and evolving security measures.
Related: #StopRansomware Guide released by the U.S. Joint Ransomware Task Force
The bottom line
While the cyberattack on MMC occurred months ago, the hospitals are still reeling from the aftereffects. It's difficult to determine the true cost of a ransom attack until long after the attack is over.
Nevertheless, attacks like BianLian are quickly becoming the norm and require hospitals to adapt to the challenges or face significant repercussions, both financially and in the well-being of their patients.
Related: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
