On Feb. 11, the attack hit the publicly traded health company, which works with 75 percent of the 200 largest U.S. hospital chains. The company was unable to say whether the attack had accessed any patient data or confidential information. There were no available details on the attack, though NRC Health said it had no evidence that patients’ data had been breached.
Companies must, by law, report breaches of protected health data to the government.
The cyberattack seems to have been caused by ransomware, which means the hackers used a sophisticated kind of malware to infect a computer and encrypted files until a ransom was paid. Hospitals and other IT services have increasingly been targeted by these kinds of crimes in recent years. Since 2016, there have been 172 attacks on individual healthcare organizations. The cost has topped $160 million, according to Comparitech.
NRC Health Chief Information Officer Paul Cooper said the company shut its systems down after the attack, and has made progress in restoring them to normal.
The company sells software to about 9,000 healthcare organizations, including Cedars Sinai, Ochsner, Jefferson Health and Providence. Its competition includes names like Press Ganey.
NRC Health also collects health data on more than 25 million healthcare consumers per year, across the U.S. and Canada. It administers patient satisfaction surveys for hospitals, and the measures from those surveys are not only used for patient loyalty, but such things as determining how much hospitals get reimbursed.
In 2012, for instance, the Affordable Care Act was able to put in place a policy to withhold a percentage of Medicare reimbursements — from 1 percent and more — until a hospital can prove that patients are satisfied with its services.
Patient privacy has been a big issue in recent years. Officials have said that patients must have access to as much data as they need, while also respecting privacy.