One afternoon in late October, the information technology department at the University of Vermont Medical Center started receiving reports of glitching computer systems across its network.
Employees reported they were having trouble logging into business and clinical applications. Some reported the systems weren’t working at all. Within a few hours, the IT department began to suspect the hospital was experiencing a cyberattack.
The possibility was very much on the IT team’s radar, as several other major hospital networks nationwide fell victim to cyberattacks earlier last fall.
Immediately, UVM Medical Center cut off all internet connection to the network to protect what data it could. Soon after, the department discovered a text file on a network computer, apparently left by the perpetrators of the attack.
“It basically said: ‘We encrypted your data, if you wanna get the key to un-encrypt it, contact us,’” explained Doug Gentile, senior VP of network information technology at the medical center. “There was no specific ransom note, no specific dollar amount or anything like that, it was just: ‘here’s how you contact us.’”
The department immediately contacted the FBI, and opted not to reach out to the attackers. “Even if you contact them, even if you pay them, you have no guarantee they’re gonna deliver anything,” Gentile said.
Over the ensuing weeks, UVM Medical Center worked closely with the FBI to investigate the source of the attack while the hospital operated without access to most of its data for several weeks.
“Of course we have standard procedures for if systems go down, but being down for two to three weeks is beyond what we ever expect. It was stressful for people,” Gentile said. The attack cost the hospital between $40 million and $50 million, mostly in lost revenue.
But, it could have been worse.
“While it was a significant inconvenience and a big financial hit, the fact that no data was breached was huge,” Gentile said. When the cyberattack was discovered, hospital officials feared patient data could be stolen. Things like Social Security numbers, insurance information, and medical records were all on the line.
Often, in cases like this, cybercriminals steal data and sell it on the darknet to make a profit, or hold it for ransom, demanding large sums of money in exchange for encrypted data.
On Tuesday, the hospital revealed for the first time how the attack was carried out. Gentile explained that an employee took a corporate laptop on vacation last fall and opened a personal email from their local homeowners association.
“It was a legitimate email from a legitimate company,” Gentile said. “Unfortunately, that company had been hacked.”
When the email was opened, cybercriminals deposited malware — software intended to cause harm to computer systems — onto the laptop. A few days later, when the employee returned to work and connected to the UVM Medical Center network, attackers were able to use that malware to launch the network-wide attack.
Gentile characterized it as a “phishing attempt,” saying attackers were likely going after whoever they could. “It certainly didn’t seem like they were specifically targeting us; we just got caught up in a broader attack,” he said.
The employee faced no disciplinary action. It was clearly an accident that the malware made its way onto the computer, Gentile said. “It could have happened to anyone,” he emphasized.
Since the attack, UVM Medical Center has taken steps to combat future attacks like it. The IT department now sends out regular simulated phishing emails to employees in order to heighten awareness around the risk of phishing. If an employee clicks on it, the department provides immediate feedback to help them identify real phishing emails in the future.
The department has also blocked access to personal email on all work computers, installed anti-virus response software and advanced firewall protection, and restricted access to the corporate network.
The FBI told medical center officials the attack was likely carried out by a cyber criminal gang that it had been aware of for some time.
“The motive here was clearly money,” Gentile said, “nothing else.”