In October 2020, the University of Vermont (UVM) Health Network, a vital healthcare provider serving over a million patients across Vermont and upstate New York, fell victim to a debilitating ransomware attack. The incident began with a seemingly innocuous employee error when a staff member, on vacation, accessed a phishing email disguised as communication from their homeowners association. This seemingly harmless act unwittingly installed malware on the employee's work laptop. Upon returning to work and connecting the laptop to the UVM network, the malware spread rapidly, targeting critical infrastructure. On October 28, UVM's IT department began receiving alarming reports of server malfunctions and application glitches, leading to the immediate shutdown of computer and phone systems to mitigate further damage. The cybercriminals had encrypted vital data, prompting UVM to seek assistance from the FBI while refusing to engage with the attackers. Although the organization's robust cybersecurity measures prevented a data breach, the attack wreaked havoc on their operations, disabling over 1,300 servers and 600 applications, and resulting in widespread delays in patient care and substantial financial losses. The repercussions of this incident serve as a stark reminder of the vulnerabilities that healthcare organizations face in an increasingly digital landscape.

• The UVM Health Network experienced significant operational disruption, resulting in the shutdown of critical technology and services for several weeks.
• Approximately 1,300 servers were damaged, and 600 applications were disabled, impeding access to vital systems.
• Over 5,000 computers were infected with malware, requiring extensive scanning and cleaning to remove threats and restore functionality.
• The attack did not result in data theft but caused delays in patient care, including postponed test results and canceled appointments.
• The financial impact was substantial, with losses estimated at $1.5 million per day, totaling over $63 million, far exceeding the organization's $30 million cyber insurance coverage.
• Employees faced difficulties performing their job responsibilities, leading to a diminished capacity to handle patient inquiries and provide timely medical services.
• Recovery efforts included rebuilding infrastructure and restoring data from backups, which extended the timeline for implementing a new electronic health record system.

The UVM Health Network ransomware attack occurred due to a combination of employee error and a lack of robust cybersecurity protocols. In October 2020, an employee inadvertently opened a phishing email while using their work laptop during a vacation. This email, disguised as legitimate communication from their homeowners association, was a vehicle for malware that cybercriminals used to gain access to the organization’s systems.

When the employee returned to work and connected the compromised laptop to the UVM Health Network's infrastructure, the malware activated, allowing the attackers to infiltrate the network. The incident highlighted vulnerabilities in the organization’s cybersecurity practices, particularly regarding employee training on identifying phishing attempts and the use of work devices for personal activities.

Although UVM Health Network had existing cybersecurity measures in place, they were insufficient to prevent the incident from escalating into a ransomware attack. The attack emphasized the need for stricter policies on device usage and comprehensive training programs to mitigate the risks associated with human error in cybersecurity.

Upon noticing server issues and glitching applications, the IT department at UVM Health Network became suspicious of a potential cyberattack. In response, they quickly decided to go offline, shutting down computer and phone systems to safeguard sensitive records. This immediate action aimed to contain the threat and prevent further damage to the organization's infrastructure.

During their investigation, the IT team discovered a text file left by the cybercriminals on one of the compromised devices. This file indicated that the organization’s systems had been breached and that data had been encrypted. Instead of engaging with the attackers, UVM Health Network's IT department prioritized contacting the FBI for assistance, thus initiating a coordinated response to identify the source of the attack and mitigate its impact. By taking these steps, they effectively triaged the situation, preventing the malware from spreading further throughout the organization.