BERLIN– The investigation into the cyberattack at Atlantic General Hospital is wrapping up, according to hospital leadership.
Don Owrey, president and CEO of Atlantic General Hospital (AGH), told the public this week the investigation related to the ransomware attack that hit the hospital in January was in its final stages.
“It’s been a learning process,” he said. “Something you never want to experience, quite frankly.”
On Jan. 29, AGH experienced a ransomware attack that resulted in network outage issues. While interruption to patient care was limited, operations impacted included the outpatient walk-in lab, pulmonary function testing, outpatient imaging and RediScripts.
As a guest speaker at a town hall meeting hosted by Worcester County Commissioner Chip Bertino this week, Owrey recounted the incident and said he was proud of the hospital’s response. While the attack disabled aspects of the hospital’s network, Owrey said key operations like the emergency room, operating room and endoscopy department stayed up and running.
He added that the hospital was insured for events like this.
“We have cyber insurance,” he said. “It’s the environment that we live in unfortunately.”
Owrey said he’d been asked about the hospital’s future in the wake of the incident.
“We will survive this,” he said. ‘It’s been incredibly disruptive to our business operations, as you can imagine, but we will survive this. The reason I say that is because, in order for an insurance carrier to underwrite us we have to make sure we’re insurable.”
He said AGH had extensive measures in place before the attack and had even more so in place now. He said organizations had to be prepared, as cyberattacks had essentially become a business.
“This has become an industry in and of itself,” he said. “We’ve learned that. We’ve talked to experts across the country.”
Attendees asked if the hospital had to give in to the hackers.
“If the question is did we meet the request of the ransom, we did not meet the request of the ransom,” Owrey said, adding that because it was a criminal investigation he couldn’t share all the details.
He did say that the attack was orchestrated by a group in China.
“They’ve attacked a number of hospitals,” he said. “Their MO, how they work, is known to the FBI. We spoke to the FBI that Sunday morning (after the attack). They immediately knew who they were, they knew all about them. We learned subsequently, they have what’s called a call center. That’s how organized this outfit is. When I spoke to the leading expert nationally for cybersecurity in the healthcare industry, he gave me a 10-or-12-page writeup on this organization.”
A retired nurse in the audience asked if the hospital’s medical records were hacked.
“That’s a great question,” Owrey said. “What I can tell you is they did not get into our electronic medical records.”
He said AGH’s electronic health records, commonly referred to as EHR, were hosted remotely.
“What we’ve got the investigators looking at is what did they look at on our servers,” he said. “We know they looked at a lot of folders. Within a folder is our files. We have to pore through that and see is protected health information in there.”
Owrey said that process was a time consuming one.
“We’re wrapping that process up with our consultants,” he said. “We’re 100% confident that access to electronic health records did not happen.”