OrthoNebraska, an Omaha hospital, was one of more than 200 victims targeted in a years-long computer-hacking plot, according to the U.S. Justice Department.
The Justice Department has indicted two Iranian men in connection with a scheme known as “SamSam” that since 2015 has caused more than $30 million in financial damage to city governments, universities, hospitals and others.
The information technology director at OrthoNebraska, Paul Hakenkamp, told The World-Herald the hospital paid about $2,000 in ransom.
The indictment alleges that Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri exploited security gaps in computer networks to install malicious software designed to make computer data inaccessible to the rightful user.
After disabling computers, the defendants left ransom notes in the form of a file on each computer. The notes told the victims they would have to pay Bitcoin, a virtual currency, to regain access to their data.
The Justice Department referred to the scheme as “21st-century digital blackmail.”
Officials said the men collected more than $6 million in ransom payments. Victims reported additional losses of more than $30 million resulting from the loss of access to their data.
OrthoNebraska was impacted in July 2016, when the facility was operating under the name Nebraska Orthopaedic Hospital. No patient data was accessed, CEO Levi Scheppers told The World-Herald on Thursday.
Hospital employees were locked out of certain systems. If systems were critical to patient care, appointments were rescheduled within a couple days, Scheppers said. Thirteen patients were impacted. Hospital officials had called those patients, saying there had been a computer outage.
A third party affiliated with the hospital’s cyber liability insurance recommended that the hospital pay the relatively small ransom to more quickly access critical computer systems, the IT director said.
“From a loss perspective, it’s really nominal,” said Scheppers, the CEO. “We’re one of the very lucky ones.”
Other victims named in the indictment included major cities such as Atlanta and Newark, New Jersey; organizations in San Diego, Canada and Colorado; as well as health care institutions in Chicago, Los Angeles and Wichita.
As part of the plot, if the ransom money was paid, two other Iranian nationals converted the illicit funds into Iranian currency, the Treasury Department said Wednesday.
The Justice Department appeared to acknowledge that the chances of Savandi and Mansouri seeing the inside of a U.S. courtroom are slim, at least for now. The defendants, who acted inside Iran, are now fugitives from justice, Deputy Attorney General Rod Rosenstein said in a statement.
The indictment did not include allegations that Savandi and Mansouri were acting on behalf of the Iranian government.
This report contains material from The Washington Post.
