Healthcare Organizations And The Risk Of Double Extortion From Ransomware

May 21, 2025

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a $240,000 civil monetary penalty against Providence Medical Institute in California on October 03, 2024.

This penalty was imposed due to potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule following a ransomware attack breach report investigation by OCR.

The investigation was initiated after Providence Medical Institute reported a series of ransomware attacks that affected the electronic protected health information (ePHI) of 85,000 individuals between February and March 2018. OCR's investigation determined that servers containing ePHI were encrypted with ransomware three times.

Ransomware and hacking have become primary cyber threats in the healthcare sector, with a 264 percent increase in large breaches reported to OCR involving ransomware attacks since 2018.

OCR Director Melanie Fontes Rainer emphasized the importance of fully implementing all HIPAA Security Rule requirements to protect the privacy and security of patients' health information.

The HIPAA Security Rule establishes national standards to protect individuals' electronic personal health information and requires appropriate administrative, physical, and technical safeguards to ensure its confidentiality, integrity, and security.

Commentary

The HIPAA Security Rule establishes national standards to protect individuals' electronic protected health information (ePHI) that is created, received, used, or maintained by a covered entity. It requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of ePHI.

The rule mandates that covered entities and their business associates implement measures such as risk analysis, risk management, information access management, and security awareness training to defend against cyber-attacks and other threats to ePHI.

In the above matter, the healthcare organization was determined to have suffered three "encrypted ransomware" attacks.

An encrypted ransomware attack is a type of cyber attack where malicious software, like ransomware, encrypts the data on a victim's system or network. The attacker then demands a ransom from the victim in exchange for the decryption key needed to restore access to the encrypted data. This type of attack disrupts the availability of the system and its resources, rendering the stored data inaccessible until the ransom is paid.

During such an attack, common user files like Office documents, PDFs, images, videos, audio, text, and source code files are typically encrypted. The ransomware may also encrypt critical system files, disk partitions, and even virtual machines. Attackers often use additional techniques to maximize the impact, such as modifying file and directory permissions or shutting down/rebooting systems to gain access to and manipulate the files. In some cases, the ransomware may propagate across a network, leveraging other attack techniques to infect multiple systems.

The goal of an encrypted ransomware attack is usually financial gain, as the attackers demand payment in exchange for the decryption key. However, in some cases, the attackers may not save or transmit the decryption key, rendering the data permanently inaccessible.

While the goal is often purported to be "ransom", thieves will often steal data. This tactic, known as "double extortion," has become increasingly common.

According to a report from Arctic Wolf, 96 percent of all reported ransomware incidents in 2024 included data exfiltration. This shift in cybercriminal behavior is driven by the desire to maximize pressure on victims and protect the revenue streams of organized criminal operations. By stealing data before encrypting it, attackers can threaten to release sensitive information if the ransom is not paid, thereby increasing the likelihood of receiving payment.

The final takeaway is that there is no good outcome from ransomware. Ransomware attacks lead to lost revenue, data, fines, productivity, and public confidence. The best way to address ransomware is to prevent ransomware.

Sources: https://www.hhs.gov/about/news/2024/10/03/hhs-ocr-imposes-civil-monetary-penalty-against-providence-medical-institute-hipaa-ransomware-cybersecurity-investigation.html and https://www.forbes.com/sites/daveywinder/2025/02/26/data-theft-is-the-ransomware-new-normal-extortion-demands-average-600000/ and https://attack.mitre.org/techniques/T1486/

Finally, your opinion is important to us. Please complete the opinion survey:

Product

Articles

Having Multiple User Accounts Creates High Risk Of Internal Breaches

Disney is rocked by a cyberbreach caused by a "disgruntled" ex-employee. How can your organization avoid the pain of a cyberattack from an insider with grievances? We examine.

Healthcare Organizations And The Risk Of Double Extortion From Ransomware

Another healthcare organization is fined after a ransomware attack. We examine the many risks ransomware presents as thieves continue to attack healthcare employers.

Should Your Workplace Embrace "Unhappy Leave"? You Make The Call

A survey claims employees are taking "unhappy leave" and employers should embrace this phenomenon to their benefit. We want to know your opinion.

Addressing The Growing Risk Of Default Passwords

California requires manufacturers to implement unique default passwords. Other states have their laws. We explain why you shouldn't wait for mandates to improve your cybersecurity. ?

Ask Emily: Can You Ban Employees From Talking About Competitors?

An employer asks Emily Brodzinski, Esq. whether employees can be told not to discuss competing businesses while at work.