UCSF has paid approximately $1.14 million to online hackers who encrypted its servers and data needed for research.

UCSF pays ransom of $1.14 million to online hackers

July 06, 2020
by John R. Fischer, Senior Reporter
The University of California, San Francisco has paid approximately $1.14 million to hackers behind a malware attack that compromised a number of its servers and data.

The incident occurred in a limited part of the UCSF School of Medicine's IT environment on June 1 and was detected and disclosed by UCSF IT staff two days later. The attack encrypted a number of servers, making them temporarily inaccessible.

“We quarantined several IT systems within the School of Medicine as a safety measure, and we successfully isolated the incident from the core UCSF network,” said the university in a statement. “Importantly, this incident did not affect our patient care delivery operations, overall campus network, or COVID-19 work.”

The university stopped the attack as it occurred and has since hired a cybersecurity consultant and other outside experts to investigate the incident and evaluate the defenses of its IT systems.

It believes the attack did not target a specific area, though attackers did obtain some data that they used as demand for a ransom payment. While it does not believe patient medical records were exposed, the university chose to pay the ransom, due to the information being important for academic work it conducts. In exchange, the attackers provided it with a tool to unlock and retrieve the encrypted data.

Ransomware attacks have cost healthcare organizations more than $157 million over the past five years, according to a report released in February by online services firm Comparitech. Another report by Microsoft found that several dozen hospitals have become especially vulnerable to such attacks on their gateway and VPN appliances as a result of the COVID-19 pandemic.

An incident in October led DCH Health System in Alabama to pay attackers, though it did not reveal the amount it paid. It also sent new patients to neighboring facilities in Birmingham and Mississippi until it could restore hospital operations and improve IT security.

“The ransomware attack continues to impact our ability to accept new patients,” DCH Health System spokesman Brad Fisher said at the time, adding that “we are investigating all options for securely and swiftly restoring our IT system.”

UCSF expects to fully restore the affected servers soon, and will provide further updates on the situation as the investigation proceeds.