Kansas Heart Hospital had fallen victim to one case of ransomware when it had decided to pay the ransom; however, they did not expect the attackers to continue to withhold information even after the payment was made and demand a second ransom. When asked how much money the hospital paid for the first ransom, President Greg Duick, MD declined to release the exact amount and only said that it was “a small amount” and that patient information and routine operations were not affected. It should be noted that Hollywood Presbyterian Hospital paid $17,000 after a similar attack in February. The hospital has refused to pay the second ransom after seeking consultation despite the fact that a portion of their data is still locked.
Ryan Witt, VP and managing director of the healthcare industry practice at security specialist Fortinet believes that “Demands for funds are soaring, and the problem is organizations are paying. Ransomware will get worse before it gets better. You don’t want to think of return on investment as it pertains to criminal activity, but there is a strong ROI, and these attackers are quite sophisticated and know there is money to be made.”