In October 2020, the University of Vermont (UVM) Health Network—a six-hospital health care organization that serves over 1 million patients throughout Vermont and upstate New York—discovered that its systems had been compromised by cybercriminals in a ransomware attack. The UVM Health Network ransomware attack led to major disruptions across the organization’s infrastructure, shutting down critical technology and delaying patient care.
This attack—which ultimately stemmed from an employee error—resulted in significant recovery costs and reputational damages for UVM Health Network, emphasizing the severity of cyber incidents within the health care industry. There are various cybersecurity lessons that organizations can learn by reviewing the details of this incident, its impact and the mistakes UVM Health Network made along the way.
The Details of the UVM Health Network Ransomware Attack
At the beginning of October 2020, a UVM Health Network employee took their work laptop on vacation with them. During this vacation, the employee used the laptop to check their personal emails. One of these emails was from the employee’s local homeowners association. Although the email seemed legitimate, the homeowners association had recently been hacked by cybercriminals. As a result, the email was actually a phishing scam. By opening the email, the employee unknowingly allowed cybercriminals to launch malware on their work laptop. When the employee came back to work and connected their laptop to the UVM Health Network’s systems, the cybercriminals then utilized that malware to target the entire organization.
On Oct. 28, the cybercriminals officially launched their attack on UVM Health Network, spreading malware across the organization’s technology. That afternoon, the organization’s IT department began receiving several reports of server issues and glitching applications. Upon investigating these reports, the department suspected a cyberattack was taking place. Fearing a potential data breach, UVM Health Network immediately went offline—thus shutting down its computer and phone systems—to protect its sensitive records. After doing so, the IT department found a text file from the cybercriminals on one of the organization’s devices. The file explained that the cybercriminals had compromised UVM Health Network’s systems and encrypted the organization’s data. To regain access to their systems and data, the cybercriminals urged the organization to contact them.
While the text file didn’t contain a specific ransom demand, UVM Health Network’s IT department was fairly confident that contacting the cybercriminals would only result in such a demand—a demand that the organization did not want to satisfy. After all, there was no guarantee that the cybercriminals would actually restore the organization’s systems and data after the ransom was paid. Therefore, instead of complying with the cybercriminals’ orders, the organization contacted the FBI for assistance. From there, UVM Health Network worked closely with the FBI to identify the source of the attack and resolve the incident. In the coming weeks, Vermont Gov. Phil Scott also deployed the state’s National Guard to further assist in the matter.
Fortunately, the organization confirmed that no sensitive data (e.g., patient records or employee information) was stolen or exposed during the attack. Rather, UVM Health Network’s existing cybersecurity measures allowed the organization to regain access to most of its data through safely stored back-up copies. Nevertheless, the attack still largely disrupted the organization’s operations for several weeks while it worked to fully recover its data, remove the malware (as well as any digital backdoors created by the malware) from all infected technology and rebuild its damaged infrastructure. During this time, hundreds of employees were unable to perform their job responsibilities due to the computer and phone systems remaining shut down. What’s worse, many patients faced delayed test results, experienced appointment cancellations and had to reschedule elective medical procedures while UVM Health Network recovered from the incident. In total, it took multiple months for the organization to totally restore its infrastructure.
The Impact of the UVM Health Network Ransomware Attack
UVM Health Network ransomware attack caused a range of consequences, including the following:
Recovery costs and lost revenue
The organization incurred significant recovery expenses as a result of the attack. This includes costs related to UVM Health Network rebuilding 1,300 damaged servers, restoring 600 disabled applications, scanning and cleaning 5,000 malware-ridden computers, and repopulating its overall infrastructure with backed-up data. In addition, the organization lost a considerable amount of revenue in the time it took to recover from the incident—totaling nearly $1.5 million per day. As a whole, the attack is estimated to have cost UVM Health Network over $63 million. These costs greatly exceeded the organization’s existing cyber insurance protection, as it was only insured for $30 million.
Reputational damages
Apart from recovery expenses, the organization encountered widespread scrutiny due to the attack. Specifically, UVM Health Network was criticized for allowing employees to access their personal emails on workplace devices—a flaw that essentially led to the incident. Although the organization’s existing cybersecurity measures effectively prevented the attack from resulting in a data breach, UVM Health Network was still scrutinized for its lengthy incident recovery process, especially considering that this process resulted in delayed patient care.
Delayed system updates
Lastly, the attack forced the organization to modify its timeline for rolling out an updated electronic health record system. This system was intended to replace the organization’s current patchwork of health record applications and create a more integrated system to be utilized for both inpatient and outpatient care. While UVM Health Network had already implemented the first phase of this rollout in November 2019, the second and third phases were pushed back to November 2021 and April 2022, respectively.
Lessons Learned
There are several cybersecurity takeaways from the UVM Health Network ransomware attack. In particular, the incident showcased these key lessons:
Employee education can’t be ignored.
Employees are often the first line of defense against cyberattacks. In fact, as many as 90% of such attacks stem from human error. This issue was certainly emphasized during UVM Health Network’s cyber incident. If the organization had educated its employees on safe email protocols and phishing detection measures, it’s possible that this attack could have been avoided altogether. As such, it’s crucial to share the following cybersecurity best practices with employees:
- Avoid opening or responding to emails from unfamiliar individuals or organizations. If an email claims to be from a trusted source, verify their identity by double-checking the address.
- Never click on suspicious links or pop-ups, whether they’re in an email or on a website. Don’t download attachments or software programs from unknown sources or locations.
- Utilize unique, complicated passwords for all workplace accounts. Never share credentials or other sensitive information online.
- Only browse safe and secure websites on workplace devices. Refrain from using these devices for answering personal emails or browsing the internet on topics unrelated to work.
- Contact a supervisor or the IT department if suspicious activity arises.
Effective security software is a must.
After the attack, UVM Health Network made it a priority to block employees’ access to their personal emails on all workplace devices, as well as equip this technology with more advanced security software. While this software may seem like an expensive investment, it’s worth it to minimize the impacts of potentially devastating cyber incidents. Software to consider includes network-monitoring systems, antivirus programs, firewalls, endpoint-detection products and patch-management tools. Also, it’s valuable to conduct routine penetration testing to determine whether this software possesses any security gaps. If such testing reveals any problems, these issues should be addressed immediately.
Cyber incident response plans make a difference.
UVM Health Network took an extended period of time to recover from this incident, ultimately increasing disruption concerns, delaying patient care and compounding the overall costs of the attack. Such lengthy recovery issues highlight how essential it is to have an effective cyber incident response plan in place. This type of plan can help an organization establish timely response protocols for remaining operational and mitigating losses amid a cyber event. A successful incident response plan should outline potential cyberattack scenarios, methods for maintaining key functions during these scenarios and the individuals responsible for carrying out such functions. This plan should be routinely reviewed through different activities—such as tabletop exercises—to ensure effectiveness and identify ongoing vulnerabilities. Based on the results from these activities, the plan should be adjusted as needed.
Ransomware attacks carry unique ramifications.
It’s important to note that UVM Health Network made a smart choice by not complying with the cybercriminals’ demands and instead reaching out to the FBI during this incident. While this practice is vital to avoid further exploitation during ransomware attacks, doing so often contributes to a lengthier incident recovery process. That being said, ransomware attack scenarios need to be considered when developing a cyber incident response plan. Namely, the plan should address specific tactics for remaining operational during the extended recovery efforts that often accompany such attacks. Additionally, it’s important that the plan prioritizes contacting law enforcement and working with insurance partners for further assistance when these events occur, as this practice can help minimize potential losses, improve incident investigation processes and better identify perpetrators.
Proper coverage can provide much-needed protection.
Finally, this attack made it clear that no organization—not even a major health care organization—is immune to cyber-related losses. That’s why it’s crucial to ensure adequate protection against potential cyber incidents by securing proper coverage. Considering how expensive cyber events can be (especially ransomware attacks), it’s best to carefully select a policy limit that will provide sufficient protection amid a costly incident. Consult a trusted insurance professional when navigating these coverage decisions.
We are here to help.
If you’d like additional information and resources, we’re here to help you analyze your needs and make the right coverage decisions to protect your operations from unnecessary risk. You can download a free copy of our eBook, or if you’re ready to make Cyber Liability Insurance a part of your insurance portfolio, Request a Proposal or download our Cyber & Data Breach Insurance Application and we’ll get to work for you.