Columbia Surgical Specialists, which operates four medical offices in Spokane and Spokane Valley, says it paid hackers nearly $15,000 to decrypt patient information that was held hostage in a ransomware attack.
In a two-page notice sent to patients Thursday, the company said it learned about the hack on Jan. 9 and “took immediate action to evaluate the extent and nature of the intrusion and to address the source as soon as the vulnerability was discovered.”
The company said the compromised files may have included patients’ names, driver’s licenses, Social Security numbers and personal health information.
“We received notice from the people that encrypted the files just a few hours before several patients were scheduled for surgeries, and they made it clear we would not have access to patient information until we paid a fee,” the company said.
The doctors who own Columbia Surgical Specialists paid $14,649.09.
“We quickly determined that the health and well-being of our patients was the number one concern,” the company said, “and when we made the payment they gave us the decryption key so we could immediately proceed, unlocking the data.”
The company said its cybersecurity provider, Intrinium, analyzed its systems and “believes that no data was acquired, disclosed or used” by the hackers, though patient records were exposed during the attack.
Columbia Surgical Specialists said it initially believed records of up to 400,000 patients may have been compromised, but “after further investigation, the actual number of potentially affected patients is substantially smaller.”
The company’s statement didn’t say precisely how many patients might be at risk, nor did it say how the hackers made contact, how the doctors transferred the ransom money or what security measures were in place before the attack.
The company’s chief executive, Dr. Rod Emerson, did not immediately respond to a message seeking comment Thursday afternoon.
The company has set up a toll-free line for patient inquiries about the data breach. A message left with that number, (866) 219-2642, was not immediately returned Thursday evening. One surgeon who works for the company referred questions to Emerson.
The company said it waited to announce the breach until it fully understood the situation.
“We worked diligently to make the proper notifications as soon as possible without causing undue alarm with inaccurate information,” the statement said.
The company said it’s working with law enforcement and “continuing to review our internal protocols and procedures to prevent this from happening again.”
It also reported the breach to the Washington state Attorney General’s Office and the U.S. Department of Health and Human Services’ Office for Civil Rights.
Among other operations, Columbia Surgical Specialists runs the Spokane Ear, Nose & Throat Clinic at 217 W. Cataldo Ave.
Subscribe to the Morning Review newsletter
Get the day’s top headlines delivered to your inbox every morning by subscribing to our newsletter.