A ransomware attack on Spokane,
Washington-based Columbia Surgical Specialists on Jan. 9 resulted in unauthorized
access of medical records of almost 400,000 patients, the
healthcare provider said in a press release
. Although the FBI and security
companies advise organizations not give in to hacker demands, the company paid
almost $15,000 in ransom for a decryption key, arguing the health of their
patients was more important, as surgeries were scheduled for that day.

“Yes, we paid $14,649.09. We
received notice from the people that encrypted the files just a few hours
before several patients were scheduled for surgeries, and they made it clear we
would not have access to patient information until we paid a fee,” the firm
said. “We quickly determined that the health and well-being of our patients was
the number one concern, and when we made the payment they gave us the
decryption key so we could immediately proceed unlocking the data. (Again, we
believe the information was locked, but not obtained, by the perpetrators). The
payment came from the doctors who own Columbia, and will not be passed on to
our patients.”

Columbia Surgical Specialists said
it only reported the data breach on March 7 because of an ongoing investigation
into their networks to determine how the security incident happened. While the
company claims no data was stolen was compromised, they thought best to warn clients
that personal data such as name, drivers’ license, Social Security number and
other health information may have slipped out. There’s no evidence that data
was misused by third-parties, it claims, and when the forensic investigation
was finalized the number of patients who may have been affected dropped significantly.

The incident was reported to the
US Department of Health and Human Service’s Office for Civil Rights, local news
and the Washington State Office of the Attorney General, as per legal
requirements.