Hollywood Presbyterian: Hospital Pays $17,000 to Get Patient Records Back
Hollywood Presbyterian Medical Center's computers were locked by ransomware for 10 days. Doctors reverted to fax machines and paper records. The hospital paid 40 Bitcoin ($17,000) to regain access to patient files.
Background
Hospitals became prime ransomware targets from 2016 because they hold genuinely irreplaceable data (patient records), face extreme pressure to restore operations quickly, and historically underinvested in security. Hollywood Presbyterian was among the first high-profile healthcare ransomware victims.
The Attack
The ransomware — believed to be Locky — entered through a phishing email opened by a hospital employee. It encrypted medical records, laboratory data, imaging files, and administrative systems across the hospital. Doctors could not access patient histories or imaging, could not admit patients digitally, and had to use paper and fax for a week and a half. The FBI was called but offered no viable recovery path.
Response
Hospital CEO Allen Stefanek announced the decision to pay 40 Bitcoin on February 17, 2016, stating it was "the quickest and most efficient way to restore our systems." The FBI advised against paying but acknowledged the hospital's difficult position. The decryption key worked and systems were restored.
Outcome
The $17,000 payment was modest, but Hollywood Presbyterian's case opened the floodgates for healthcare ransomware. Within months, hospitals in Germany and the UK were hit. Healthcare became the most ransomware-targeted sector by 2020, with ransoms scaling from thousands to tens of millions of dollars.
Key Takeaways
- Healthcare organisations must maintain offline backups of patient records — lives depend on data availability
- Paying ransomware funds future attacks and brands the payer as willing to pay again
- Hospitals must conduct tabletop exercises for ransomware scenarios specifically, given the life-safety implications
- Segmenting clinical systems from administrative networks limits ransomware spread to non-critical areas