Cyber Incident Victim: Estes Park Health
Date:
Jun 2019
Location:
United States of America
Summary
Estes Park Health experienced a ransomware attack that encrypted its systems, disrupting clinical operations and imaging services without evidence of data exfiltration. Facing critical patient care obligations, the organization consulted its cyber insurer and IT experts, ultimately paying an undisclosed ransom to obtain decryption keys after determining restoration alternatives were insufficient. The entity incurred a $10,000 deductible and additional payments to unlock further encrypted files, successfully restoring functionality while avoiding explicit mention of backup usability. The incident underscored healthcare providers' unique pressures to prioritize patient safety when responding to ransomware demands.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On June 2, 2019, Estes Park Health (EPH) experienced a ransomware attack that encrypted its systems, locking access to critical data. The attack did not involve data exfiltration but rendered files inaccessible, disrupting operations. Facing immediate operational challenges, EPH consulted with its cyber insurance provider and IT personnel to evaluate response options. The organization determined that paying the ransom was necessary to restore systems efficiently, prioritizing patient care continuity. EPH paid a $10,000 deductible to its insurer, which covered the remaining ransom payment to obtain decryption keys. During the unlocking process, EPH encountered additional encrypted files beyond the initial scope, requiring further negotiations and supplementary payments to the attackers. The total ransom amount paid was not disclosed publicly.
The ransomware significantly impacted clinical software and medical imaging systems, hindering routine operations and patient services. EPH’s leadership emphasized that payment was unavoidable given the urgency of restoring imaging capabilities and clinic management tools essential for patient safety. No mention of functional backups emerged in public statements, suggesting reliance on decryption as the primary recovery method. The incident underscored operational vulnerabilities in healthcare settings where prolonged downtime could compromise care delivery. EPH’s cyber insurer facilitated the ransom transaction and recovery efforts, though the specific ransomware variant remained unidentified. Post-incident, the organization focused on system restoration without disclosing additional technical details or long-term corrective actions.