Breach Notification , Fraud Management & Cybercrime , Healthcare

Oklahoma Hospital Says Ransomware Hack Hits 133,000 People

Incident Is Among Growing List of Attacks on Small, Rural Hospitals
Oklahoma Hospital Says Ransomware Hack Hits 133,000 People
Image: Great Plains Regional Medical Center

An Oklahoma hospital quickly restored its IT systems after a ransomware attack in September, but the 62-bed hospital could not recover some patient data and later learned that hackers may have accessed the personal information of 133,000 people.

See Also: Effective Communication Is Key to Successful Cybersecurity

Great Plains Regional Medical Center, a public hospital based in Elk City, which serves western Oklahoma, reported the incident to federal regulators on Nov. 7 as a hacking incident involving a network server.

While Great Plains is small in size, its data breach, which affected 133,149 individuals, is among the largest incidents so far reported by a single regional or community hospital in 2024 to the U.S. Department of Health and Human Services.

Great Plains Regional in a breach notice said that on Sept. 8 it suffered a ransomware attack on its computer network. The investigation into the incident determined that an unknown threat actor accessed and encrypted the medical center's systems between Sept. 5 and Sept. 8.

"We learned that the bad actor copied some of those files. We quickly restored our systems and returned to normal operations, but we also determined that a limited amount of patient information was not recoverable," Great Plains Regional said.

Great Plains Regional said the affected patient information varied by individual, but may have included name, demographic information, health insurance information, clinical treatment information, such as diagnosis and medication information, driver’s license number, and in some instances, Social Security number.

Great Plains Regional did not immediately respond to Information Security Media Group's request for additional details and comment about the incident.

The hospital's inability to recover some of the affected patient data could be due to a number of possible reasons such as the availability of backup storage, some experts said.

"It could indicate that the latest backups did not contain the most recent data, potentially from the day of the attack, or perhaps they had a backup issue with a small portion of the data," said Scott Weinberg, CEO of managed IT services provider Neovera.

Another possible scenario "is that in order to restore services and data as quickly as possible, they may not have been able to take the time for a full restore but opted for a partial - or faster - restore while working out the rest of the issues," he said.

Another reason could be that Great Plain was replicating data to another device that was not affected, but the timing period of replication might not have been real time to capture all data, he said. "For example, they could’ve been replicating every 30 minutes instead of real-time."

Of course cyberattacks and especially disruptive incidents such as ransomware attacks not only put patients' data at risk, but also their safety - particularly when victim organizations are small, regional or rural hospitals.

"Cyberattacks on healthcare providers can negatively impact patient care," said Tim Erlin, security strategist at security firm Wallarm. "When that happens in urban areas, emergency patients are redirected to other local area providers. In rural areas, that simply isn’t possible. If you’re the only provider in the area, then the consequences of a cyberattack are more impactful," he said.

Rural Risks

Certainly, dozens of smaller community and rural hospitals have found themselves in the crosshairs of disruptive cyberattacks in recent weeks, months and years.

Earlier this month, Memorial Hospital and Manor, an 80-bed hospital and 107-bed long-term care facility in Bainbridge, Georgia, suffered a ransomware attack allegedly by cybercriminal gang Embargo (see: Attack Hits Small Rural Georgia Hospital, Nursing Home).

A late 2023 ransomware attack on Medical Center Barbour, a 74-bed acute care hospital in Eufaula, Alabama, resulted in a breach affecting 61,014 individuals (see: Small Rural Alabama Hospital Reports Big 2023 Hacking Breach).

Such incidents spotlight the ongoing cyber challenges faced by small, rural and community hospitals.

"Rural hospitals provide underserved communities with lifesaving services but can be critically hindered by cyber threats," Paul Underwood, vice president of security at Neovera.

"These rural hospitals sometimes can't fill much-needed cyber-related jobs because many people move to more urban areas for higher-paying positions," he said.

But when these important pillars of healthcare in a small community suffer a cyber incident that also results in a data compromise affecting many, confidence is also shaken, he said.

"Small rural health systems have a trust factor with their neighbors and community members. With the loss of personally identifiable information, the ability for a malicious actor to take advantage of one user's information to compromise another can be much higher, resulting in more compromise to these at-risk individuals," Underwood said.

In fact, some class action law firms are already issuing public statements that they are investigating the Great Plains Regional incident for potential litigation.

"As a result of the data breach, these individuals’ personal and highly sensitive information may be in the hands of cybercriminals who can place the information for sale on the dark web or use the information to perpetrate identity theft," said Murphy Law Firm in a public notice issued Monday.

One of the biggest concerns with having a hack involving so much concentrated data about a regional population of patients is that it makes social engineering attacks become a lot easier to pull off, said Austin Allen, director of solutions architecture at security firm Airlock Digital.

"By listing a number of local people off, the attacker is more likely to gain credibility and be able to trick their victim into performing an action that would compromise their computer or send payments to fraudulent accounts," he said.

Local, state and federal agencies are aware of the cyber challenges that many healthcare sector entities - especially smaller, community and rural hospitals - are struggling with, and are taking action to help.

"Providing resources to these rural hospitals through state programs like the Washington Cyber Audit Initiative, CISA or regional cyber awareness training can help provide existing staff with better security knowledge in protecting their organizations," Underwood said. "Additionally, local guard and reserve organizations can provide much-needed training and support when these organizations need it."

Such was the case in November 2020 when Vermont Governor Phil Scott called up the state’s National Guard to assist the University of Vermont Health Network recover from an ransomware attack that disrupted patient services at the organization’s six hospitals and other care facilities for weeks (see: Call In the National Guard: Entities Respond to Threats).

On the federal level, agencies such as CISA, are also offering resources to help rural and small healthcare entities to shore up their cybersecurity (see: Shoring Up Cyber at Rural, Small Hospitals).

But right now, whether and how those CISA programs might continue after the changeover from the Biden to Trump administrations in January is uncertain.

John Riggi, national adviser for cybersecurity and risk at the American Hospital Association said that rural hospitals provide critical health services to 60 million Americans, or nearly 20% of the US population, but generally have far less human, financial and technical resources to defend against cyberattacks.

"It must be an imperative for the federal government to provide resources and training for these rural hospitals or work with us on finding creative solutions to fill the resource gap," he said. One example of public private partnerships is AHA’s ongoing initiative with the White House and Microsoft to bring rural hospitals free and heavily discounted essential cybersecurity services, he said (see: Microsoft, Google Offering Cyber Help to Rural Hospitals).

"But we can’t win this fight through defensive cybersecurity measures alone. Like any battle, we need offense as well. We need the federal government to increase its cyber offensive operations against these ransomware groups and to truly confront them for what they are - cyber terrorists."


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing ransomware.databreachtoday.com, you agree to our use of cookies.