GRANITE FALLS, N.C. — In a small single-story brick building on Highway 321, just up the road from Hickory, North Carolina, Dr. Ed Bujold runs a small family medical practice. He’s cared for patients in North Carolina for almost 40 years.
Bujold’s story of international cybercrime starts the same way as many others: he tried to log in to work one day, and the computer system wasn’t working. That was Oct. 31, 2021, a Sunday.
The next morning, he went into the office. The computers were working, but no one on his staff could get into their medical records system. This is where they kept essentially everything they had on each patient.
“We immediately called our cloud provider, and they said that they had been hacked. And they were in the dark, just like all their 100 clients. And they didn't have any information,” he said.
“I'm in a small independent practice, just myself and a nurse practitioner, and then I have nine people that are employed in the office. And we're a very tight team. And we said, OK, you know, we need to shift gears here and get out some paper and post some paper, prescription pads, which we hadn't used for years,” Bujold said.
It was the beginning of a months-long saga for the doctor and his team.
Bujold wrote about his experience in a January article in the Annals of Family Medicine, an academic journal. He also recounted the story to Spectrum News 1 in an interview.
There were 381 ransomware attacks publicly disclosed in 2022 in the United States, according to researchers with Comparitech who track these incidents. That number is down from 680 the year before.
In North Carolina last year, ransomware victims included construction companies, health care providers, the Council on Aging of Buncombe County and North Carolina A&T University. Comparitech documented 14 ransomware attacks in North Carolina last year.
On February 22, Gaston College, based in Dallas, North Carolina, got hit with a ransomware attack. A month later, the college west of Charlotte still didn’t have its campus wifi back online or all its computer labs back open.
Ransomware attacks can do more than disrupt a doctor’s office or a college. A similar attack took down the Colonial Pipeline, cutting off most of the gasoline supply for the East Coast in May 2021.
Colonial ultimately paid millions to a criminal gang in Russia to get gas flowing again.
Federal authorities tell companies they should not pay ransom demands from hackers, arguing that it only encourages more attacks. In North Carolina, the state made it illegal for local governments to pay these kinds of ransoms.
“I know how critical our pipeline is to the country,” Colonial Pipeline CEO Joseph Blount said during testimony before a Senate committee after the attack, according to the Associated Press. “I put the interests of the country first.”
The shutdown of the 5,500 pipeline sent gas prices skyrocketing in North Carolina and up the East Coast. There were long lines outside gas stations and some ran out of gas.
“I made the decision to pay, and I made the decision to keep the information about the payment as confidential as possible,” Blount said. “It was the hardest decision I’ve made in my 39 years in the energy industry.”
The company said hackers got into the company’s system by getting into a virtual private network that wasn’t used anymore, according to AP. Getting into the VPN required what the CEO described as a “complicated” password, but not a system of multi-factor authentication that would have been more secure.
Colonial paid the ransom in Bitcoin, worth about $4.4 million, to a hacking group known as DarkSide. The Department of Justice said they managed to get about $2.3 million of that back.
“Following the money remains one of the most basic, yet powerful tools we have,” Deputy Attorney General Lisa Monaco said at the time.
“Ransom payments are the fuel that propels the digital extortion engine, and today’s announcement demonstrates that the United States will use all available tools to make these attacks more costly and less profitable for criminal enterprises.”
Federal investigators said they were able to track some of the Bitcoin digital payments to a specific online address. The FBI had the “private key” for the Bitcoin, essentially a password, and was able to get the money back.
For Bujold’s medical records, it wasn’t actually his practice that got hacked, but a cloud service provider that ran his medical records software.
He said he used to run his own servers for medical records from his office. But after a while he realized that was costing about $30,000 a year. It made sense to move the medical records to the cloud and pay another company to keep things up and running.
Bujold said he was an early adopter of digital medical records. He worked with a Texas company called KPN Health and helped create a system called “point of care” reports. So at least he had that system running when they lost access to all their other medical records.
“Every night, their software goes into the charts of patients that are seen the next day. And they pull data, looking for gaps in care. And they print out a sheet for everybody that comes in the next morning,” he said. That sheet includes their medications, medical problems, and whether they’re overdue for screenings, such as a mammogram or a colonoscopy.
That server lived in their office, so they had those records up until the day they were hacked. They printed those and started new paper charts for each patient.
“The next day, we were full-blown back to paper,” Bujold said.
“We were into this about two weeks, and I naively thought, 'well, you know, certainly within two weeks, we'd be back and running with the backups that the cloud service did,'” he said. But that’s not what happened.
Unfortunately, Bujold said, the company kept its backups onsite, so those got hacked too. The stopgap that was supposed to be there wasn’t.
“I'm not sure why they did that. But you know, that's like, Cybersecurity 101,” he said. The company had no idea when they would get back online.
“At that time, they had hired a high-end cybersecurity firm. They hired a professional negotiator, and they brought in the FBI,” Bujold said. “The FBI right away knew exactly who this was. They said,’This is a Russian syndicate, and they do this two or three times every day around the world.’”
The gang demanded a $5 million ransom, Bujold said. But this was a smaller cloud-based company that only made about $2 million a year in revenue, he said.
On top of that, Bujold said, the company was underinsured. Two weeks turned into a month, turned into two months, and the situation dragged on.
“We were three, three and a half months into this, and still no answers, you know, and there wasn't anything that cloud-based service could tell us, the Russian hackers dug in their heels,” Bujold said.
“Then one day, all of a sudden, everybody caved. And the Russian syndicate came down to $500,000, which the cloud-based service paid for. And, they got their records back,” he said. It took almost another month to get all the systems back up and working again.
At about that two-week point, Bujold said he sat down with his office manager and reviewed their options.
“There are three ways this is gonna go. I can close the doors of the practice and retire, I can borrow a lot of money, you know, and if our cash flow goes down, and go into debt, or we can dig our heels in and fight this.” They went with option 3. They fought their way through it.
“It was ours to win or lose,” Bujold said.
It’s not like they had a big corporation backing them up. Bujold runs a small independent practice. There are no deep pockets that can jump in during an emergency.
“Fortunately, my office team really kind of took this as a challenge, and they did whatever we had to do to make things work,” he said.
Another part of the problem was they couldn’t bill insurance without the electronic records, so they couldn’t get paid. Luckily, another company helped them get a different computer system to restore insurance billing after about two weeks.
Bujold said he went to the bank and got a line of credit to tide them over.
“My office manager took the brunt of a lot of the calls that had to be made. She took this very seriously and probably got a few gray hairs over the six or eight months that were involved in this,” he said.
There was a lot of liability too. The last thing Bujold wanted was to miss something for a patient. There’s a lot to keep track of: X-rays, lab work, making sure patients come in when they’re supposed to, or after a trip to the hospital.
“We had to double down and make sure that everything that got sent out of the office got back on paper forms,” he said. “The staff really pulled together and figured out how to do that.”
When a doctor’s office or a hospital gets hacked, a whole separate level of concern is for patient privacy.
Hackers can make money off ransom, but they can also sell that data on the dark web. That includes names, addresses, social security numbers, everything someone needs to steal identities.
Attacks on the health care industry are common. Atrium Health got hit in April 2022. Someone stole patient data from MGC, a service provider for UNC Lenoir Health Care.
“In December of 2021 and again in January of 2022, MCG was contacted by an unknown third-party who claimed to have improperly obtained patient data from MCG. This third-party made a demand for money in exchange for the return of the patient data to MCG. MCG opened an investigation and contacted the FBI,” UNC Lenoir said in a notice to patients.
“MCG made Lenoir aware of this incident on April 24, 2022. MCG’s forensic investigators confirmed that records for ten (10) patients were listed by this third party for sale on the dark web,” UNC Lenoir said. “Lenoir patient records were not found on the dark web, but MCG has determined that the unauthorized third-party may be in possession of Lenoir information which could include: patient name, Social Security number, medical codes, street address, telephone number, email address, date of birth and gender.”
For Atrium, UNC and Bujold’s practice, that potential for leaking patient information is critical.
When Bujold’s practice got hit, his medical malpractice company swung into action. They knew exactly what to do in this situation and had already had plenty of practice.
“They have a whole division that deals with cybersecurity and HIPAA violations,” Bujold said. HIPAA is the federal patient privacy law.
There was no way they could prove none of the patient information was leaked or sold, he said. “That was probably the most annoying thing.”
“It wasn't our fault that things got hacked. We were collateral damage,” Bujold said.
They had to open a case with the Justice Department and notify patients of the possible data breach. The insurance company set up a call line for people worried about their personal data. Bujold even had to take out an ad in two newspapers for two weeks saying their patient data may have been compromised.
Most of that was covered by insurance. But it was still annoying, and a lot to deal with, Bujold said.
“Finally, we got closure there. And they felt that we had complied with everything they asked us to do. I mean, everything worked out. But, you know, it was difficult,” he said.
Bujold’s saga lasted the better part of a year. But his practice survived. It started on a Sunday morning, unable to log in to check some patient records. It ended with an FBI investigation, dealing with lawyers and insurance companies, and months worth of heartache and hard work.
The gang responsible for the hack made off with $500,000, taking the money and, most likely, moving onto the next target.
These attacks happen every day around the world.
For Bujold, the top lesson he wants to share with other small business owners is this: don’t skimp on computer systems and service providers.
Almost everything people do on computers now is moving into the cloud, and people need to know they can trust the companies running that software.
Companies need to make sure their service providers are keeping backups off-site, Bujold said. They need to be ready to respond quickly and effectively if and when they get hacked.
Bujold said he switched from a small service provider to a Microsoft product. They back up their servers every night and store those backups in three different cities, he said.
“My biggest word of advice is, you know, you pay more to go with bigger companies, but in the long run, it probably is worth doing,” he said.