A couple of health care practices have ceased operations in the United States this year as the consequence of a ransomware attack. Here’s the story of one of them. From HIPAA Journal in April 2019:

… ransomware encrypted the system at Brookside ENT and Hearing Center in Battle Creek which housed patient records, appointment schedules, and payment information rendering the data inaccessible.

The attackers claimed to be able to provide a key to unlock the encryption, but in order to obtain the key to decrypt files, a payment of $6,500 was required.

The two owners of the practice, William Scalf, MD and John Bizon, MD, decided not to pay the ransom as there was no guarantee that a valid key would be supplied and, after paying, the attackers could simply demand another payment.

Since no payment was made, the attackers deleted all files on the system ensuring no information could be recovered. The partners decided to take early retirement rather than having to rebuild their practice from scratch.

And (emphasis added) …

No patient data appeared to have been viewed or accessed prior to files being deleted so there is not believed to be any risk to patients; however, patients who had not obtained copies of their medical records prior to the ransomware attack will have lost all records stored by the practice.

That will naturally come at a cost to some patients, who may have to have medical tests performed for a second time. One patient at the practice told WWMT that her daughter had had surgery and she was attempting to schedule a follow-up appointment when she discovered that her medical records have been lost. She must now visit another provider, but that provider will have no details about the surgical procedure.

I see the following facts:
– a ransomware attack succeeded, and there was no way to recover (decrypt) or rebuild (via backup).
– the ransom demand was US$6,500.
– the ransom demand was not paid because it might not work.
– the owners took early retirement.
– patients lost their medical records.

“Risk” is an interesting word to use in the above context. Indeed, since the records were encrypted, it appears there is no risk of unauthorised access to said records, and thus patient privacy (in the sense of unauthorised access) was not compromised. But in a wider sense, there’s a lot of risk to patients as a consequence of their medical records being rendered permanently inaccessible. For those who are frequently unwell and suffer significant health complications, such loss adds delay (because new tests have to be done, but without trend analysis available), multiplies confusion (what did and didn’t happen in past times, and what treatments did and didn’t work for this individual), stress (via uncertainty on current status and outcomes), and more.

In the case of the above practice, the two owners took early retirement – and by implication, were financially equipped to do so. And yet they didn’t pay the ransom demand of $6,500 because it might not work. No one wants to be in such a situation, but there’s an argument to be made that they exhibited medical negligence towards their patients in doing so. Money doesn’t appear to have been the issue (since they had the resources to retire, as opposed to finding another job); it was the question of uncertainty about recovery. Since they had no other way to recover or rebuild, two options remained: take a calculated risk and pay the ransom demanded to acquire the recovery keys, or take the zero-risk option to themselves of ceasing business operations. The owners chose the second, without trying the first. Thus dumping all ongoing risk on patients.