top of page

Hollywood Presbyterian Medical Center 2016: Medical Systems Outage

  • Writer: Matilda Drummond
    Matilda Drummond
  • Jun 10
  • 2 min read

Updated: Jun 16

Series: 2 Minute Case Studies

Root Cause Themes: Cybersecurity


Summary

In February 2016, Hollywood Presbyterian Medical Center lost access to its entire network, including critical electronic health records (EHR) and internal communications, for 10 days following a targeted ransomware attack.


Key Impacts

  • Clinical Disruption: Physicians lost electronic access to patient charts, lab results, and medical reports.

  • Patient Care & Safety: Emergency rooms were compromised, and critical patients had to be moved to alternative facilities.

  • Financial Capitulation: The hospital paid a $17,000 ransom (40 Bitcoin at the time) to regain access to decryption keys, establishing a dangerous precedent. Training and processes can be key to establishing a course of action that is proactive instead of panicked and reactive.


Vulnerabilities & Root Causes

  • Attacker Profile: The breach was allegedly executed by two individuals operating out of Iran as part of a wider, 34-month campaign targeting over 200 institutions.

  • Delayed Detection: The ransomware was misdiagnosed during the early stages, delaying containment protocols on the larger global attack, and highlighting how hard it is to stop damage from spreading once it has started.

  • Infrastructure Vulnerabilities: Given the extent of the damage, questions were asked about the hospital's use of data backups and encryption prior to the attack.


Further Implications

  • Paying the ransom validated the attackers' business model and contributed to an estimated 1.7 million subsequent copycat attacks globally.

  • Ransomware-as-a-Service (RaaS) increases the likelihood of these events occurring, because the sophisticated and debilitating encryption tools are commercially available to low-skill threat actors.


Sources



Enjoyed this breakdown? Follow for more case studies on how to identify hidden vulnerabilities and protect your organization. Let us know in the comments if there is a specific type of risk you want to know about!


Disclaimer: This is a high-level summary of a complex event with numerous compounding operational and legal variables.

Comments


bottom of page