The hackers who locked up data on MedStar's computers this week are demanding ransom to begin unlocking it — and they're offering a bulk discount to release all of it, according to a copy of the demands obtained by The Baltimore Sun.
The attack was made public by the FBI and MedStar on Monday. A doctor at a MedStar hospital in Baltimore and a second source familiar with the matter confirmed Wednesday that it was launched by hackers seeking payment.
The hackers, who have encrypted the data so MedStar users cannot retrieve it, are seeking payment in bitcoins, the hard-to-trace digital currency that can be purchased at online exchanges.
MedStar, which operates 10 hospitals and other facilities in the Baltimore-Washington region, declined to discuss the nature of the attack, citing an ongoing investigation.
Ann Nickels, a spokeswoman for the nonprofit medical system, said Wednesday that its three main clinical information systems had been restored, and that doctors were able to access medical records on at least a read-only basis.
Nickels said MedStar was getting close to restoring the whole system. She declined to say when the work would be complete.
"We have bunch of smart IT people working around the clock," Nickels said. "Nothing is more important to MedStar health than the ability to provide patient care."
Some patients continued to report problems.
Edwin Easton, 65, sat outside an entrance to MedStar Union Memorial Hospital on Wednesday afternoon, his second day waiting on his blood-pressure prescription.
One more day, the retired youth counselor said, and he would be out of the medication from his last prescription.
"I'm on the last leg," Easton said.
He said his primary care physician told him immediately about the outage and that the hospital had done a good job of communicating what was happening.
But he watched younger employees — who had never worked with the old, paper-based system of record-keeping — struggle.
"This younger generation needs a backup course," Easton said. "They're used to just pushing a button."
The deal proposed by the hackers is this: Send 3 bitcoins — $1,250 at current exchange rates — for the digital key to unlock a single infected computer, or 45 bitcoins — about $18,500 — for keys to all of them.
It's unclear whether 45 bitcoins would unlock all data throughout MedStar, or whether each of several sections of the network would require a separate 45-bitcoin payment.
The kind of attack, which has been launched against hospitals across the United States in recent months, is known as "ransomware."
The ransom note appeared when users in the MedStar system tried to open files on their computers. The hackers directed users to an online "wallet" to pay the ransom. Once it was paid, they said, they would deliver the keys to the data on the dark Web, a hidden part of the Internet where they can better cover their tracks.
The wallet is currently empty. A bitcoin tracking site reports that no funds have been transferred in or out of it.
The Baltimore doctor, who spoke on condition of anonymity because he was not authorized to discuss the attack publicly, said it had hit every computer on the network.
"The fax machines have been going off the hook," the doctor said, as clinicians try to piece together paper copies of patients' records.
He said staff have been working together to surmount the challenge, and while things have moved more slowly, patients were getting treated.
MedStar has said it discovered the infection Monday morning and quickly pulled its systems offline to stop it from spreading. The company has acknowledged some disruptions, but said in general, patient care has not been affected.
Cephus Prioleau Jr. said his wife went to the MedStar Union Memorial Hospital emergency room Monday and was admitted for a procedure.
When he called to find out which room she was in, he said, he was told she had already been discharged.
He was frantic. He called back. His son called. Prioleau drove to the hospital.
With the computer system down, they were told she was gone.
"I told them I was the only one she would call," Prioleau said. "She couldn't walk to go somewhere."
For two days, her family didn't know where she was. On Wednesday, Prioleau returned to the hospital and pleaded with the receptionists to call various departments.
Eventually, they found her — in a hospital bed with an IV in her arm.
Prioleau, 61, a retired data entry worker at a tax preparation firm, said a computer outage "shouldn't mean you lost the records of where she is."
He said the hack exposed the need for backup systems and paper documentation.
"I know everybody's pushing green, to get rid of paper, but you should always have a backup," he said. "You've got to."
Nevertheless, he praised the hospital employees, who he said were doing their best to work around the system outage.
"They're trying to do their job," Prioleau said. "They don't know what to tell you."
Gene Ransom, executive director of MedChi, the state's medical society, said doctors are worried about how the lack of access to electronic medical records could impact patient care.
Records provide medical history needed to best treat patients. In some cases, Ransom said, doctors are recreating medical histories and ordering lab work and other tests.
"There is a lot of concern about the potential harm because of this," Ransom said. "A lot of doctors are concerned that something bad will happen because of this."
Ransom said the attack shows more caution should be taken with medical records.
"We are very quick to want to adopt new technology and new health IT stuff," he said. "We might want to move slowly on some things and make sure they are working right. When you become dependent it on it, it makes it difficult when there's a problem."
MedStar advised patients to call doctors' offices directly to make appointments, while IT specialists work to restore the computer systems used for scheduling.
The health system has maintained close to normal patient numbers since the attack, treating an average of 3,380 patients a day at its 10 hospitals. Its emergency departments treated 2,400 patients, and staff performed 782 surgeries and delivered 72 babies.
MedStar officials said there have been only a few cases in which they have not been able to treat patients.
"The disruption to our systems has not impacted our ability provide quality care to our patients, and we regret any inconveniences to our patients and the extra challenges to our associates that the perpetrators of this attack have caused," Dr. Stephen R.T. Evans, the system's chief medical officer, said in a statement.
The hackers' ransom note and the hidden website it directs victims to are almost identical to those that computer security analysts say are associated with a powerful new form of ransomware known as MSIL, Samas and Samsam.
Craig Williams, an analyst at Cisco's Talos, a security firm that has been tracking the new ransomware, said it first appeared in December. It is powerful because it can spread across entire networks.
Reuters reported Monday that the FBI had sent an urgent bulletin warning about the new strain, and asked anyone with information to contact FBI computer crimes investigators.
"We need your help!" the FBI said.
FBI Baltimore spokesman Dave Fitz declined to comment on the bulletin. He said the bureau tries to work with the private industry to share information about threats to computer systems.
"This data is provided in order to help systems administrators guard against the actions of persistent cybercriminals," he said.
Williams said the available evidence points to a single group. The attackers have slowly been ramping up their ransom demands, Williams said, indicating they're new to the game and still figuring out how much their victims will pay.
"They don't really know what the data's worth," Williams said.
Talos has been tracking bitcoin wallets associated with the ransoms. Last week they estimated $115,000 in payments had been made.
That figure is far higher now, Williams said — some of the wallets have thousands of bitcoins in them, the equivalent of millions of dollars.
There are few clues to who the people running the campaign might be. Cris Thomas, a strategist at Tenable Network Security, said typically ransomware is spread by organized criminal groups operating outside the United States.
Williams said there's one good piece of evidence that's the case with the Samsam group: "The ransomware instructions to pay are really, really badly written."