Here’s why everyone is mum after ransomware attacks

Did you see the news yesterday about the ransomware attack against Emory Healthcare in Atlanta?

According to Health Data Management, a hacker breached the appointment scheduling system at the Emory Clinic’s Orthopedics and Spine Center and the Brain Health Center, and demanded an unspecified ransom. The breach affected 79,930 patients.

Emory Healthcare said it learned of the hack on Jan. 3, and the organization submitted a breach report to the HHS Office for Civil Rights on Feb. 21.

But that’s all the organization said, and for good reason. It’s the same reason why MedStar Health in the Washington-Baltimore areas has not spoken to the press about its ransomware attack last March and April.

At a preconference symposium before last week’s HIMSS conference in Orlando, Florida, a security expert told attendees that the FBI instructs health systems not to talk publicly about such attacks, or disclose whether they have paid ransom. Hollywood Presbyterian Medical Center in Los Angeles did confirm that it paid about $17,000 ransom a year ago, but as I wrote at the time, the hospital doesn’t seem to have much of a clue about a lot of things, including patient safety and public ratings.

But if you’re wondering why you haven’t heard much follow-up from hacked hospitals, it’s likely because of the FBI, which doesn’t much like to compromise criminal investigations.