article featured image


With more and more hackers profiting from the Coronavirus crisis to target healthcare providers, now is the time to look to the past and learn from it. Cybercriminals have been targeting medical institutions for some time now, and a perfect example of that is the DCH ransomware incident.

In this article, I will analyze the events DCH ransomware attack, as well as the ways in which Alabama’s healthcare providers tried to grapple with the consequences. Regardless of whether you are in the medical field or not, there is much to be learned from this moment in cyber-history.

Understanding the DCH Ransomware Attack

In the early hours of October 1, 2019, Alabama’s DCH Health System fell victim to an extended ransomware attack which forced it to close all three of its state hospitals. The medical establishments in question were:

  • Tuscaloosa’s DCH Regional Medical Center,
  • Northport Medical Center,
  • and Fayette Medical Center.

Computer systems across all three hospitals were taken out, which prevented staff from accessing vital resources and records. Emergency procedures were implemented soon thereafter to ensure the continuation of day-to-day care for patients that had been hospitalized before the attack. What is more, the respective establishments continued admitting critical patients. However, non-critical cases were denied healthcare for 10 days following the incident.

According to an article published by the Alabama Political Reporter on October 5, 2019, hackers deployed a strain known as Ryuk ransomware into DCH systems. Ryuk is operated by a Russian cybercrime group known as WIZARD SPIDER. The rink is believed to have gained $3.7 million in Bitcoins from 2018 to 2019 alone, outlining a very profitable operation.

Ryuk ransomware operators employ deceitful social engineering techniques, tricking users into opening the emails they send as part of a phishing campaign. These malicious messages contain attachments that deploy malware onto the targeted device when opened.

After the malware is successfully dropped onto the host, Ryuk escalates privileges and injects its code into the device’s processes, halting system tasks. The next step is encryption, followed by ransom demands. For a more in-depth analysis of this particular cyber-threat, check out my colleague Vladimir’s extensive article on Ryuk.

The Aftermath of the DCH Ransomware Attack

The partial disruption of healthcare services for 10 days affected several DCH Health System patients, four of which filed claims in Alabama’s district court against the healthcare provider. As claimed by the lawsuit via Alabama Local News:

Because of the ransomware attack, plaintiffs and class members had their medical care and treatment as well as their daily lives disrupted. As a consequence of the ransomware locking down the medical records of plaintiffs and class members, plaintiffs and the class members had to forego medical care and treatment or had to seek alternative care and treatment. Defendant breached its obligations to plaintiffs and class members and/or was otherwise negligent and reckless because [of its] failing to properly maintain and safeguard its computer systems and data.

Sheneka Frieson

Plaintiff Sheneka Frieson filed the complaint on behalf of a 7-year-old girl who sought medical assistance at Northport Medical Center. She suffered from a severe allergic reaction that swelled her eyes shut. A nurse at Northport allegedly did not consider her case to be an emergency and told Frieson the girl would have to wait 4 to 5 hours for a consultation.

The only two other options that Frieson was left with was to either drive to the city of Birmingham located one hour away, or visit the local Walgreens. As per the lawsuit’s claim, the girl’s swelling took three days to subside due to a lack of proper medical care.

Geraldine Daniels

A post-surgical patient at the DCH Regional Medical Center, Geraldine Daniels could not get a prescription for required recovery medication due to the DCH ransomware attack. Her medical files were rendered inaccessible during her stay. She subsequently filed her claim in the Western Division of U.S. District Court for the Northern District of Alabama.

Kimberly Turner

DCH Regional Medical Center patient Kimberly Turner visited the Tuscaloosa hospital a few days before the ransomware attack to have some x-rays done. The incident interrupted her subsequent treatment under the care of an orthopedist.

Mary Williams

The fourth litigant, Mary Williams, did not include a reason for her complaint in the text of the lawsuit. However, she did state the DCH ransomware case compromised her medical records and disrupted her medical care.

Did the DCH Health System Pay the Ransom?

To quickly restore systems to a functioning state, the DCH Health System ended up paying the ransom. As per a statement issued by DCH spokesperson Brad Fisher:

We worked with law enforcement and IT security experts to assess all options in executing the solution we felt was in the best interests of our patients and in alignment with our health system’s mission. This included purchasing a decryption key from the attackers to expedite system recovery and help ensure patient safety. For ongoing security reasons, we will be keeping confidential specific details about the investigation and our coordination with the attacker.

The total amount was not disclosed by representatives. However, cybersecurity expert Dr. Matthew Hudnall estimated that between $400,000 and $700,000 had been reimbursed to the ransomware operators in exchange for the decryption key. According to Hudnall, this put other organizations at risk.  Giving in to the ransom demands of cybercrime rinks further empowers them to attack, perpetuating the threat.

This is a position Heimdal Security stands behind as well. My advice here is to never pay the ransom under any circumstances. While remediation costs might end up being higher, you have no guarantee you will get a decryption key as DCH Health System did. And even if you do get the promised tools, you will still be responsible for funding cybercriminal activity and allowing ransomware operators to attack even more institutions and companies.

In Conclusion…

The DCH ransomware attack should be considered a teachable moment in cyber history. From human error to giving in to ransom demands and the lawsuits that ensued, Alabama’s healthcare providers made quite a few mistakes in dealing with the incident.

Your main takeaway here should be focusing on prevention rather than remediation. Cybersecurity training for staff coupled with strong policies and solutions, plus relevant data backups here and there is your best bet in this ever-changing digital landscape.

Author Profile

Alina Georgiana Petcu

Product Marketing Manager

linkedin icon

Alina Georgiana Petcu is a Product Marketing Manager within Heimdal™ Security and her main interest lies in institutional cybersecurity. In her spare time, Alina is also an avid malware historian who loves nothing more than to untangle the intricate narratives behind the world's most infamous cyberattacks.

Leave a Reply

Your email address will not be published. Required fields are marked *

Protect your business by doing more with less

Book a Demo