NRC Health, a supplier of patient survey services and software to over 9,000 healthcare group, including 75% of the biggest hospital networks in the United States and Canada, suffered a ransomware attack on February 11, 2020 that impacted some of its computing systems.
NRC Health quickly implemented steps to control the harm caused and shut down its entire environment, including its client-facing systems. A well-known computer forensic investigation firm was contracted to determine the nature and range of the attack and the incident has been submitted to the Federal Bureau of Investigation.
According to the NRC Health web portal, the data of more than 25 million healthcare consumers in the United States and Canada is gathered by NRC Health every year. Patient surveys carried out by NRC Health on behalf of its clients permit them to show that patients are satisfied with the services they have been provided with. That information is important for helping to enhance patient care and also for calculating how much Medicare reimbursement healthcare providers receive under the Affordable Care Act. Healthcare clients also used patient satisfaction scores to calculate how much executives and physicians get paid.
NRC Health said major progress has been made restoring its systems and services to customers and a full recovery is predicted for the next few days. Alerts have been sent to its healthcare clients advising them about the attack and updates are being sent to clients on a daily basis until the incident is fully addressed.
In the alerts NRC Health said the early findings of the investigation suggest no patient data or sensitive client information has been impacted.
Ransomware attacks on healthcare groups have grown over the past 12 months, after a drop fall in attacks during 2018. Many threat groups have taken to stealing patient data before the deployment of ransomware to encourage victims to pay the ransom demands. According to a recent review carried out by Comparitech, there have been 172 healthcare ransomware attacks since 2016. Those attacks have cost the healthcare sector a minimum of $157 million.