Cyber Incident Victim: Hancock Regional Hospital

On January 11, 2018, at approximately 9:30 PM, Hancock Regional Hospital experienced a ransomware attack initiated by an unidentified criminal group believed to be operating from Eastern Europe. The attackers used SamSam ransomware to encrypt approximately 1,400 files across the hospital's information systems, disrupting access to critical infrastructure including email services and electronic health records. The intrusion occurred through a remote-access portal that was compromised using an outside vendor's username and password credentials. Following the encryption of systems, the hackers demanded payment in bitcoin to restore access to the locked files. Hospital administrators determined that restoring operations through backup systems would have required weeks of recovery time, prompting the decision to negotiate with the attackers.

Hancock Health CEO Steve Long authorized a payment equivalent to $55,000 in bitcoin (four bitcoins at the time) to expedite system restoration. By January 15, 2018, the hospital had successfully decrypted more than 1,000 files and initiated comprehensive cleanup operations. Internal technology teams collaborated with external cybersecurity consultants and clinical staff to restore functionality while maintaining patient care continuity. The hospital publicly stated no evidence suggested patient data was exfiltrated or permanently compromised during the incident. Hancock Health implemented immediate password resets for all staff and engaged national law enforcement agencies to investigate the attack's origins. A public statement acknowledged the ransomware event but did not disclose the ransom payment, which was later confirmed to media outlets on January 16. Operational impacts were contained within four days, though full forensic analysis and coordination with authorities remained ongoing at the time of reporting.