Ashland Women’s Health Ransomware Attack Confirmed

The ransomware attacks on healthcare providers are continuing, with one of the latest victims a small one-practitioner gynecology practice in Ashland, Kentucky.

Ashland Women’s Health recently informed the Department of Health and Human Services’ that the attack had potentially resulted in patients’ protected health information being accessed by the attackers.

Ransomware attacks are reportable to OCR unless a healthcare provider can demonstrate there was a low probability that ePHI was compromised. In this case, that could not be ruled out with a high degree of certainty. Potentially the ePHI of up to 19,727 patients was compromised.

While Locky, CryptXXX, Cerber, and Samsa have been extensively used in targeted attacks on healthcare providers, in this case the attack involved a lesser known ransomware variant called HakunaMatata. HakunaMatata ransomware is a variant of NMoreira or AiraCrop ransomware. The ransomware variant uses RSA-2048 and AES-256 encryption to lock files, and shares a number of similarities with the better known Spora ransomware.

It is currently unclear exactly how much protected health information was encrypted, although a statement was released by the practice confirming names and addresses were encrypted along with other PHI and that EHRs were encrypted. The infection prevented the EHR from being accessed for a couple of days while the ransomware attack was mitigated, which had an impact on patient care.

Patients could still be seen, although the practice had to resort to recording information on charts until its systems were brought back online.

Ashland Women’s Health was able to successfully remove the ransomware and recover encrypted data without paying the ransom as backups of data had been made. The incident was reported to law enforcement, including the FBI, and the incident is being investigated.

The incident highlights the importance of conducting regular backups of EHRs and other data. Had a viable backup not existed, the practice would have had to pay the ransom or risk data loss, the latter could potentially result in a substantial HIPAA fine.

Other recent ransomware attacks included an attack on ABCD Pediatrics, which impacted 55,447 patients and a major attack on Urology Austin which impacted 279,663, the latter being the largest healthcare ransomware attack of the year to date.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of