Cyberattack on NRC Health sparks privacy concerns about private patient records stored by US hospitals

Key Points
  • NRC Health, which administers patient survey tools to hospitals, experienced a cyberattack on Feb. 11 and shut down its "entire environment" to contain the issue.
  • Hospitals have been notified and are concerned that private patient data was accessed, even though NRC says there's no evidence of that so far.
  • The data stored by NRC includes patient satisfaction data, and is used to determine everything from how much doctors get paid in bonuses, to how much hospitals are reimbursed by Medicare,
Amid one of the worst public-health crises in history, a record number of Americans are without health insurance.
John Fedele

NRC Health, a publicly-traded company that says it works with 75 percent of the 200 largest U.S. hospital chains, was hit with a cyberattack on Feb. 11, a spokesperson confirmed to CNBC. The attack sparked concerns about the security of patient health information stored on NRC Health's servers.

The company could not confirm whether any patient information or confidential information was accessed by the hackers. It didn't share details on the nature of the attack but said it doesn't have evidence of a patient data breach.

A breach is when hackers access information stored on computer systems. Companies must, by law, report a breach of protected health information to government health regulators.

What NRC Health does

NRC Health says it sells software to 9,000 healthcare organizations, including Cedars Sinai, Ochsner, Jefferson Health and Providence Health. It collects data from more than 25 million health care consumers per year across the U.S. and Canada, according to its website.

NRC Health competes with companies like Press Ganey. It administers patient satisfaction surveys for hospitals. These measures aren't just used by marketing departments to keep patients loyal.

Increasingly, health regulators are using these metrics to determine how much hospitals get reimbursed. For instance, in 2012, the Affordable Care Act introduced a policy to withhold a percentage of Medicare reimbursement (starting with 1 percent, or $85 million, and doubling in 2017), until hospitals can prove that patients are sufficiently satisfied with the service.

Hospital executive pay is also often tied to these patient satisfaction measures, according to the American Medical Association Journal of Ethics.

What seems to have happened

The cyberattack was caused by ransomware. When ransomware attacks happen, hackers use sophisticated malware to infect a computer and then encrypt computer files until a ransom is paid. Hospitals, and the IT vendors that work with them, have been increasingly targeted in recent years. There have been 172 attacks on individual healthcare organizations since 2016, costing the sector overall $160 million, according to Comparitech.

NRC Health chief information officer Paul Cooper acknowledged in a statement that the company shut down its systems after learning of the attack, but that it has made "significant progress" in restoring them. Cooper said the company would continue to share updates on its progress to its customers on a daily basis.

"Our resources are singularly dedicated to regaining full operability and investigating this matter to completion," he said.

The company started notifying its hospital customers with an email alerting them to the attack. In a copy of the email obtained by CNBC, the company says it responded by shutting down the "entire environment, including client-facing reporting portals, to contain the issue." The attack took place on "certain computer systems" at approximately 5 p.m. CST, which have been down since.

NRC has launched an investigation and notified the FBI, the email says.

A "major source of irritation"

With NRC's systems down, one chief information officer at a hospital said that it's been a "major source of irritation internally," because the systems are used to determine how much its physicians are getting paid. The exec requested anonymity because they were not authorized to speak about the attack

There are also brewing concerns about whether NRC will determine that there was a breach of patient data, according to the source. If private information was accessed, hospitals will need to notify their patients.

Another health system CEO, who likewise requested anonymity, said that they were concerned about hackers having access to confidential information about their hospital including its market share.

It's a trend

Companies like NRC Health have massive volumes of information about patients, says Aaron Miri, a chief information officer for Dell Medical School.

"The value proposition for hackers is huge," Miri explained. "You'll often find medical records up for sale for several hundred dollars per record."

But it can be challenging in the wake of cyberattacks to track where the protected health information derived from, Miri said.

Miri explained that many hospitals are starting to pay ransoms to hackers, despite advice not to, because it's expensive for IT systems to be down for days or even weeks. In Alabama this past October, three hospitals that were part of DCH Health System said they couldn't accept patients for a week after their systems were targeted. Hackensack Meridian, a 17-hospital system, publicly acknowledged that it paid the hackers an undisclosed sum in December 2019 to regain access to its systems.

In 2019 there were 140 reported attacks targeting governments and health care providers, a 65 percent increase from the prior year, according to the security firm Recorded Future.

How the US power grid became a big target for hackers
Cyberattacks on the U.S. power grid are a real threat, but we can protect it