As you may know, the hospital experienced a ransomware cyberattack on October 11 by what we believe is a Russian “threat actor.” It was part of a broader attack on several hospitals across the country. We immediately responded by shutting down all systems to contain the damage, which was largely successful in protecting hospital data. We did not receive a ransomware note until October 18 which explained the intrusion, and we have not paid anything to the threat actor and are cooperating with law enforcement.
We apologize for not sharing more information until recently, but the cybersecurity experts we brought in to help recommended that we keep most of this information confidential so as not to inform the threat actor of our response during containment and recovery.
In a ransomware attack, a threat actor attempts to disrupt the business by locking companies out of their own data and servers. After discovering the attack, our cyber security team – in partnership with outside information technology and forensics experts – successfully prevented the cybercriminal from blocking our system access and ultimately expelled them from our system.
The attack has affected hospital operations on a number of levels, but due to quick action we were able to maintain most services throughout the response period. While outpatient lab work was reduced to lighten the load, and mammography was discontinued because of delays in reading scans, surgery and most diagnostic testing have proceeded as normal, as has 24/7 emergency services. The Hospital’s electronic health record system was not affected and the patient portal remains available, but new results have not been posted since October 11, although we expect it to be updated soon.
We’re carefully checking all of the Hospital’s 72 systems and 215 workstations, bringing each system up in order of priority, and systems are now more than halfway restored.
While the threat has been contained, we are still working to confirm the extent of access gained by the threat actor. We believe it was limited to certain patient testing data and do not believe patient or staff financial information was compromised. When the forensic investigation is concluded, we will notify individual patients whose information may have been affected by the breach, and identify the specific information involved.
On a positive note, we have cyber insurance to help us cover our expenses and we also have enough cash on hand to manage through this downtime period.
We continue to work with outside experts, including those from UCSF Health, to restore our systems and implement new security procedures that will help protect the hospital in the future.
Let me also say how much we appreciate the understanding and support we’ve had from our community about this incident, which has been one of the most significant emergency events in our hospital’s history. I am especially proud of our staff and their efforts to help us manage through this emergency with grace and teamwork, while maintaining services to our community. Many have gone above and beyond in recent weeks, with some working around-the-clock to restore operations, and we are grateful for their dedication.
In good health,
Sonoma Valley Hospital