by Dr. Jeffrey Kaufman
Steven Leffler [UVMMC President quoted on WCAX news report] fails to take responsibility for a multi million dollar gamble which the medical center network lost by not taking adequate measures to prevent a devastating ransomware attack.
Knowing full well that they were vulnerable to ransomware piracy UVMMC failed to spend the money required to prevent being victimized.
At the time, responsible businesses, especially those which would suffer severely if exposed, dug down and spent modest money to harden their IT defenses. But Not UVMMC.
Instead, they were hit hard.
The attack not only paralyzed patient care; inpatient and outpatient, as medical records and critical medical center data files were no longer available; critical hospital administrative functions; but captured HIPAA protected confidential patient medical records for what must be a majority of all Vermonters were exposed to ruthless criminals, apparently located overseas, out of U.S. jurisdiction and law enforcement hands.
While payment of the ransom demand could be exchanged for return of the records and files allowing re-establishment of operations, confidentiality was already breached and laid wide open. Vermonters and UVMMC staff suffering was prolonged as the stolen records were not restored for an extended period of time. In some settings such carelessness could be considered criminal negligence. This being Vermont’s UVMMC, VT Attorney General TJ Donovan chose not to prosecute.
So who lost? Vermonters.
And now, a couple of years later when some forget the months of pain UVM staff struggled through while attempting to provide needed services, the attack is renewed with vigor in the form of proposed massive rate hikes to cover losses Vermonters had no way to avoid, prevent, nor mitigate. Vermonters were the true victims during the attack and it’s aftermath and are now, silently, being subjected to a new ransom threat which only they will pay.
The author is a retired MD living in the Northeast Kingdom.