OLEAN — Hackers attempting to ransom the computer systems at Olean Medical Group on Friday did not access records for 40,000 patients, group officials reported Monday.
In a faxed press release sent Monday, OMG officials noted the group is still seeing patients, even if charting is being completed by pen and paper instead of computer as the group recovers from the attack.
A similar situation appears to exist with the Seneca Nation Health System, with OMG officials reporting it is the same type of attack they experienced. The SNHS website also reported the computer system is down.
“We have had a computer system failure at the SNHS,” a release on the system’s website signed by acting CEO Mark Halftown states. “Thankfully your Protected Health Information has NOT been compromised. Unfortunately, we do not have access to your charts or our scheduling system at this time. If you have an appointment with us, please contact the health center to confirm so we can prepare for your visit.
“We are working feverishly to rebuild our system and we apologize for any inconvenience. Thank you for working with us at this time.”
SNI press representatives could not be immediately reached for comment.
Speaking to the Times Herald Monday evening, CEO Christine Strade and Dr. Fred Lewis, chairman of OMG’s executive board, compared the incident to a terrorist attack seeking what Lewis called “a significant amount of money.”
No individual took credit for the attack, with only an email address as a clue.
“A lot of these attacks come from overseas, but that’s just conjecture on our part,” Lewis said.
“We want to assure people we haven’t lost any personal information, credit card numbers,” he added, with an outside forensic analysis firm determining no records were removed.
The group has not yet contacted law enforcement — the FBI will be contacted in connection to the case, Lewis said — because the extent of the hack and the security of the patient records had to be determined first.
“We had to wait until we knew if there was any patient information extraction,” she said. “We did that yesterday.”
More than 150 employees were called in to a meeting on Father’s Day for an update on the investigation, with the public being informed Monday.
Following the review, it was determined a string of attacks — most originating in Eastern Europe and Africa — were stopped by the security system before the breach.
“They’ve been trying to access our information since February, but we stopped it,” Lewis said.
According to the U.S. Department of Health and Human Services, there are approximately 4,000 daily ransomware attacks since early 2016. Ransomware is a type of software designed to deny access to a user’s data until a ransom is paid. However, in many cases the person holding the data for ransom can withdraw the data for nefarious uses, or even destroy the data.
OMG is not the first in Western New York to be hit by a cyber attack.
In 2017, Erie County Medical Center suffered a ransomware attack, declining to pay a $30,000 ransom, but instead overhauling the hospital’s computer systems at a cost of around $10 million, including millions in lost revenues, staff overtime and increased expenses.
“It took them months to recover,” Lewis said. “This has been going on a long time.”
Such attacks have even garnered attention in pop culture. The television show “Gray’s Anatomy” used a ransomware attack as a plot device in 2017, while other shows have also used attacks on medical, law enforcement and government computer systems.
MOVING FORWARD, the group is going back to its old pen-and-paper method of record keeping.
“This is a major paradigm shift for the group as a whole,” Lewis said, adding only long-time employees worked at the group since before the first electronic medical records were kept in the mid-2000s. “Many of our employees weren’t here then.”
Patients are being asked to bring in medications or a medication list, insurance cards and medical history when coming for appointments for the immediate future.
“I think things were a little slow today,” Lewis said, adding he expects things to speed up in the coming days. “For most people, it should be mostly seamless.”
Much of the credit belongs with the employees, officials said.
“Our employees are pulling together,” he said, with many of the older hands taking to the paper charting with ease. “For the individual patient, it shouldn’t make any difference.”
The group employs around 200 people, serving a patient population of around 40,000, officials said.
Long-term, the group will begin setting up a new system unaffected by the ransomware — which will be helped by partner health care providers.
“Because of the federal government wanting all records to be interoperable (with other health care providers), we sent our records out,” Strade said, and now OMG will work to get those records back to populate a new computer system.