Cyber Incident Victim: Northport Medical Center
Date:
Oct 2019
Location:
United States of America
Summary
A ransomware attack severely disrupted operations at a health system comprising three hospitals, including Northport Medical Center, forcing facilities to divert ambulances and accept only critical patients while emergency cases faced potential transfers after stabilization. The malware encrypted critical systems and backups, demanding cryptocurrency payment for decryption, with officials implementing emergency protocols to maintain safe care delivery amid the outage. Simultaneously, seven Australian hospitals experienced a related cyber incident, rescheduling services and isolating infected systems, though no evidence suggested patient data compromise during the prolonged network restoration efforts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 1, 2019, the DCH Health System in Alabama—comprising DCH Regional Medical Center in Tuscaloosa, Northport Medical Center, and Fayette Medical Center—was forced to close all three facilities to new patients following a ransomware attack that paralyzed the network’s computer systems. The hospitals implemented emergency protocols to maintain operations without computer-dependent technology, restricting admissions to only the most critically ill patients. Ambulance services were instructed to divert patients to alternative hospitals when possible, while emergency room arrivals faced potential transfers after stabilization. Hospital officials publicly acknowledged that an unidentified criminal actor had disabled their systems in exchange for an unspecified ransom payment, typically demanded in cryptocurrency. The attack disrupted standard workflows, though specific technical details about the ransomware variant, encryption methods, or initial infection vector were not disclosed. Backup systems were implied to be compromised based on general ransomware behavior described in the report, though no explicit confirmation was provided regarding backup integrity or restoration efforts at DCH facilities.
Simultaneously, seven hospitals across Gippsland and southwest Victoria in Australia experienced a separate ransomware attack discovered on September 30, 2019, which remained unresolved 24 hours later. These facilities isolated and disconnected multiple systems—including financial management platforms—to contain the infection, causing significant operational delays. Non-urgent patient services were rescheduled as staff operated under reduced technical capacity. Authorities collaborated with the Australian Cyber Security Centre and law enforcement to manage the incident, estimating weeks would be required to fully secure and restore affected networks. Hospital officials emphasized no evidence suggested unauthorized access to patient records occurred during the attack. Both incidents exemplified widespread healthcare vulnerabilities, with geographically distinct hospital networks resorting to manual protocols and patient diversions while facing prolonged recovery timelines and undisclosed financial demands from attackers.