Cyber Incident Victim: York Animal Hospital
Date:
Jul 2021
Location:
United States of America
Summary
A ransomware attack targeted York Animal Hospital, erasing four years of patient records and backup data, leaving only limited paper records and emails. The attackers demanded $80,000 in Bitcoin, which the hospital refused to pay, opting instead to manually rebuild its systems by reloading outdated records and requesting clients' pet medical histories. Operations were severely disrupted—services slowed, appointments required extended notice for medication refills, text messaging capabilities were lost, and the facility temporarily closed to focus on recovery. While financial data remained uncompromised, the hospital estimated over a year to fully restore operations and implemented enhanced security measures during reconstruction. Community support aided recovery efforts amid the prolonged disruption.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The ransomware attack on York Animal Hospital was discovered on July 6, 2021, following a cyber intrusion over the Fourth of July weekend that erased the hospital’s entire server and all backup data. Attackers encrypted the practice’s systems, leaving a ransom note demanding $80,000 in Bitcoin for file restoration, which owner Bill Walak refused to pay. The attack wiped all digital patient medical records from the previous four years, leaving only scattered paper records and saved emails. This forced the hospital to close early on July 9 to focus on recovery efforts. Critical operational impacts included the inability to access patient histories, process payments, or receive text messages, leading Walak to temporarily waive service fees. Clients were urgently asked to email pet medical details—including vaccine histories—to a temporary Gmail address to aid data reconstruction. Walak suspected Russian involvement based on clues in the ransom note but confirmed financial systems remained uncompromised, eliminating immediate identity theft risks for clients.
Recovery efforts began immediately, with staff manually reentering inventory data and rebuilding patient records from fragmented sources. By July 11, the team had restored most inventory data, allowing the hospital to reopen on July 12, albeit with significantly slowed operations due to ongoing record reconstruction. Walak loaded a 2017 backup of patient records as a partial baseline but emphasized full recovery would take at least a year. The hospital communicated progress via Facebook, acknowledging community support while requesting patience for delayed medication refills and appointment coordination. Staff implemented workarounds, such as requiring 24-hour notice for prescription renewals, to manage workflow disruptions. Despite restoring basic functionality, the hospital continued operating without its original digital systems, relying on rebuilt databases with enhanced security measures. The incident highlighted dependencies on vulnerable software, as Walak noted prior payments to a vendor for system setup had not prevented the breach. Operational resilience was maintained through manual processes and client cooperation, though long-term data restoration remained incomplete at the time of reporting.