Cyber Incident Victim: Virtual Care Provider Inc.
Date:
Nov 2019
Location:
United States of America
Summary
A Milwaukee-based healthcare technology services firm suffered a catastrophic ransomware attack by Russian hackers who infiltrated its network via phishing emails over 14 months, escalating privileges to encrypt data and delete backups while demanding $14 million in Bitcoin. The attack disrupted critical operations for over 100 nursing homes and acute-care facilities, preventing access to patient records, internet services, payroll processing, and medication orders. Despite restoration efforts, the company could not meet the ransom demand, forcing a complete rebuild of 100 physical servers while leaving clients with severe operational challenges and potential existential threats.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On November 17, 2019, Russian hackers executed a ransomware attack against Milwaukee-based Virtual Care Provider Inc., a technology services firm supporting over 110 nursing homes and acute-care facilities across 45 U.S. states. The attackers had infiltrated the company’s network over 14 months through phishing emails containing malicious attachments, which employees unknowingly opened. This allowed hackers to progressively exploit vulnerabilities, disable antivirus protections, and spread malware across systems. Upon gaining administrative account access—described as achieving "God mode"—the attackers deleted backup data, encrypted critical systems, and demanded a $14 million Bitcoin ransom. Virtual Care, unable to pay the exorbitant sum due to its relatively small size despite managing 80,000 client computers, faced catastrophic data loss. The attack disrupted client facilities’ access to electronic medical records, internet services, payroll processing, medication ordering systems, phones, and billing platforms.
Virtual Care immediately launched an internal investigation, engaged security experts, and began rebuilding 100 physical servers to restore services. Impact severity varied among the 110 affected healthcare providers: some relied solely on Virtual Care for IT support, while others lost hosted websites, email, patient records, and operational systems. Wisconsin’s Lutheran Home and Harwood Place mitigated patient care disruptions through parallel medical record systems, but other facilities risked closure and life-threatening treatment delays without data access. Cybersecurity analysts identified the perpetrators as a prominent Russian ransomware group known for targeting service providers to amplify pressure for payments. The incident exemplified broader trends of attacks against under-secured small-to-midsize companies, with healthcare entities particularly vulnerable. No data recovery or ransom payment occurred, leaving Virtual Care and its clients in a "lose-lose-lose" scenario while highlighting systemic risks of sophisticated cybercriminal operations.