Sonoma Valley Hospital hit by cybercriminals with ransomware attack

Sonoma Valley Hospital said Friday it suffered a disruptive cyberattack on its computer systems, which is believed to be part of a coordinated Russian operation targeting up to 400 hospitals across the United States while they are especially vulnerable during the coronavirus pandemic.

The suburban hospital sustained what’s called a ransomware attack on Oct. 11 and then “immediately stopped the incident by quickly taking all electronic systems offline,” company officials said in a statement acknowledging, though, that some patient information might have been compromised.

During such an attack, cybercriminals attempt to lock businesses out of their own computer servers, unless they pay a multimillion-dollar ransom. The FBI has said there is no guarantee that victims get their data back if they acquiesce, and the agency recommends against paying it.

The hospital, which employs 352 full-time workers, said it prevented the attackers from blocking its computer systems and ultimately kicked them out. It did not pay ransom and is working with law enforcement on the matter.

Hospital officials said the cybercriminals “may have removed a copy of a subset of data” during the intrusion without mentioning any specifics since an investigation continues.

It is possible that “some patient medical information was compromised,” but hospital officials said they don’t think financial account or payment information was accessed by cyber thieves. The hospital’s health records system was not affected, officials said.

While contending with the cyber intrusion, the hospital has been delivering emergency care and performing necessary surgeries, and the majority of patient diagnostic tests are still being done, officials said.

The public disclosure Friday by the Sonoma Valley medical center was its most extensive since the computer security breach occurred nearly three weeks ago and came after questioning by The Press Democrat. The local newspaper’s latest questions came on the heels of reporting this week about the Ryuk ransomware attacks by the New York Times and the Washington Post, which noted some of the American hospitals purportedly being infected by Russian hackers, mentioning Sonoma Valley Hospital as likely one of their victims.

The cybercriminals were trading a target list of 400 U.S. hospitals and medical complexes, including in New York and on the West Coast, and 30 of them were infiltrated, the New York Times reported Wednesday based on an online security company that uncovered the information and shared it with the FBI.

C.M. Kruse de la Rosa, a Sonoma Valley spokeswoman, declined to comment Friday beyond the prepared statement issued to the Press Democrat, including questions about whether the hospital experienced the crippling attack by Russian-speaking operatives; the number of people affected by data loss; or when the hospital’s computer system again would be fully operational.

“The forensic investigation is ongoing to identify individual patients potentially affected and specific data involved. We will notify affected patients, as appropriate, when we have more detailed information available to us,” hospital officials said in their statement. From July 1, 2019 to June 30, the hospital has had 47,802 outpatient visits and 9,784 emergency visits, according to its records.

The FBI, the Department of Homeland Security and the Department of Health and Human Services issued a joint advisory on Tuesday to U.S. hospitals and health care providers that cyber hackers were trying to implant malware on their computer systems to hijack them for ransom. The advisory did not mention Russian operatives.

The hackers are the same group behind TrickBot, a conduit for ransomware attacks government hackers and technology executives have uncovered over the past month, according to media reports.

There are fears these same cybercriminals will attempt to tamper next week with computer systems used in states and counties to tally U.S. election results.

Sonoma Valley patients with questions about the situation can call the hospital at 877-374-2465 from Monday to Friday from 8 a.m. to 5 p.m.

You can reach Staff Writer Bill Swindell at 707-521-5223 or bill.swindell@pressdemocrat.com. On Twitter @BillSwindell.