Sonoma Valley Hospital’s ‘security incident’ was Russian ransomware attack

Sonoma Valley Hospital’s internet interruption that started Oct. 11 has now been identified as a cyberattack, likely caused by Russian-controlled ransomware that has attacked six hospitals across the country, according to reports.

The hospital responded to the attack by taking all electronic systems offline and launched an investigation. The ransom was not paid and hospital officials are working with law enforcement and cyber experts to rectify the situation, the hospital’s public statement said.

The hospital board was briefed about the ransomware attack and advised by experts to not discuss the situation publicly because it may “encourage or influence the approach of the perpetrators,” said Bill Boerum, board member of the Sonoma Valley Health Care District.

The cybercriminals were prevented from blocking the hospital’s system access, and ultimately driven out of the system, but they may have “removed a copy of a subset of data,” the hospital’s announcement said. Some patients’ medical information may have been compromised, but the hospitals electronic health record system was not affected. Hospital officials believe financial information was unaffected as well.

A forensic investigation is being conducted to review what data and which individual patients may have been affected, and those patients will be notified when more detailed information is available.

A joint cybersecurity warning was issued this week by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) cautioning that cybercriminals were targeting hospitals and other healthcare systems using ransomware.

Authorities report that the attackers are not operating on a political platform, but are seeking financial gain. Sonoma Valley Hospital did not reveal how much the attackers asked for in ransom.

Credible information about an increase of malicious cyber-attacks led the agencies to issue the warning.

Using TrickBot and BazarLoader malware, cybercriminals gain access via phishing campaigns with links or attachments to malicious sites that contain malware. Once they have access to data they threaten to disrupt healthcare services. For example, in one cyberattack instance in Klamath, Oregon, patients who receive computer driven cancer treatments were unable to receive their treatments because of the malware control.

Officials are especially concerned about these attacks given the rise in COVID-19 pandemic cases.

A coordinated assault by Russian operatives in Moscow and St. Petersburg is behind the attacks that are likely using the same Ryuk ransomware behind the attack on Universal Health Services earlier in October, according to reports. The healthcare provider has some 400 hospitals in the United States and United Kingdom.

Sonoma Valley Hospital has a professionally staffed toll-free line with people familiar with the situation who can advise patients on precautions to take. The response line is 1-877-374-2465, and is available Monday through Friday, 8 a.m. to 5 p.m.

Most diagnostic tests at the hospital are still possible, and necessary surgeries and elective procedures are continuing without interruption, the hospital reported. The emergency care center is operating, and many other services are uninterrupted. While the patient portal is operational, new test results have not been posted there since Oct. 11.

Contact Anne at anne.ernst@sonomanews.com.