Big health care analytics firm infected with ransomware

NRC Health's CIO told CyberScoop the company had “considered all options" to get its systems back online.
(Getty Images)

NRC Health, which sells software to some of the country’s largest health care organizations, shut down its computer systems last week following a ransomware attack, the company said in a statement Thursday.

Nebraska-based NRC Health, whose clients include big health care providers like the University of Missouri Health System, collects data on patient habits that could be a prime target for cybercriminals.

Asked by CyberScoop if his company had paid a ransom to regain access to its data, Chief Information Officer Paul Cooper would only say that NRC Health had “considered all options to restore systems as quickly as possible for our customers.” The FBI and an unnamed cybersecurity company hired by NRC Health are investigating, he said in an email.

It is just the latest ransomware incident in the health care sector, where sensitive personal data abounds but the resources to secure it are stretched thin. Many of the smaller health care delivery organizations don’t have a single, full-time security professional on staff, according to Joshua Corman, whose cybersecurity volunteer organization, I am the Cavalry, has studied the issue.


Despite the file-locking attack, Cooper said “there is still no evidence of unauthorized access to or acquisition of any data from our systems,” including “protected health information.” The company will finish gradually bringing its systems back online in the coming days.

Cooper did not identify the type of ransomware used in the attack, nor would he discuss the scope of the impact on NRC Health’s clients. “We are communicating directly with impacted clients.”

“Our resources are singularly dedicated to regaining full operability and investigating this matter to completion,” he said.

CNBC was first to report on the incident.

The health care sector has in recent years become more aware of the threat posed by ransomware, and has made progress in other areas such as working with researchers who uncover vulnerabilities in medical devices. But experts say more resources are needed.


Since the SamSam ransomware struck the network of Hollywood Presbyterian Medical Center in 2016, health care has been one of the biggest targets of ransomware, Corman added.

In the last seventh months, for example, ransomware infections have caused a hospital system in Alabama to turn away patients and a Southern California clinic to shut down permanently.

“Neither the hospitals nor their technology suppliers are battle tested for this new normal – and the learning curve is quite steep,” Corman told CyberScoop.

To prioritize limited resources, health care and security professionals should focus on protecting devices with the biggest implications for patient safety, he said.

“We need to expect the most cybersecurity hygiene from the most depended upon products,” Corman added.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts