Cyber Incident Victim: Park DuValle Community Health Center
Date:
Jun 2019
Location:
United States of America
Summary
A Kentucky-based nonprofit community health center serving low-income and uninsured patients suffered a ransomware attack that encrypted medical records and disabled appointment scheduling systems, rendering critical patient data inaccessible for nearly two months. The organization paid approximately $70,000 to hackers in an attempt to regain access to records for roughly 20,000 affected individuals, marking its second ransomware incident within a two-month period following a previous attack. The prolonged disruption significantly impacted operational capabilities and patient services due to the extended loss of access to essential healthcare data and management tools.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Park DuValle Community Health Center, a nonprofit operating medical clinics for low-income and uninsured patients in western Louisville and surrounding areas, experienced a ransomware attack on or around June 7, 2019, that encrypted its medical records and appointment scheduling systems. The attack rendered approximately 20,000 patient records inaccessible and paralyzed critical clinical operations for nearly two months. This marked the second ransomware incident targeting the organization's computer systems within a three-month period, following a previous attack in April 2019. The encryption of medical records prevented staff from accessing patient health histories, treatment plans, and scheduled appointments, creating significant disruptions to healthcare delivery across multiple clinic locations. As a nonprofit serving vulnerable populations, the prolonged system outage compounded existing challenges in providing continuity of care without digital records management capabilities.
Facing sustained operational paralysis, Park DuValle's leadership authorized a ransom payment of nearly $70,000 to the attackers in an attempt to regain access to the encrypted patient data. CEO Elizabeth Ann Hagan-Grigsby publicly confirmed the payment and system compromise during a July 25, 2019 interview, approximately seven weeks after the initial attack. The two-month system outage represented one of the longest publicly disclosed healthcare ransomware disruptions at that time, exceeding typical incident recovery timelines. While the ransom payment secured a decryption key, the prolonged recovery period forced staff to implement manual workarounds for patient scheduling and record-keeping throughout the summer months. The repeated attacks within a single calendar year exposed systemic cybersecurity vulnerabilities at the health center, though no specific details regarding initial infection vectors or data exfiltration were disclosed publicly. Financial losses from the ransom payment and operational downtime created additional strain on the nonprofit's limited resources.