My hospital hacked my computer

Hospital email is supposed to be secure. This means that when you get an email with possible sensitive information, you receive a link to connect to a secure email product, requiring passwords, sign-ins and maybe even a bit of personal information.

Being what they are, hospitals tend to swap software products and we find some new “secure solution” that hits us, urging us to give email, make a password and possibly disclose some new verifying information.

Two days ago, I received a very legitimate looking email from the hospital-physician liaison of our local main hospital. The originating email looked legit. It addressed me by my name. The address block was the same. The body of the email said it had a PDF file with my updated contract.

Unfortunately, our hospital has a nasty habit of trying to loop us into bad managed care contracts that cause trouble. Thus, I quickly clicked on the PDF file. As expected, I was sent to another sign-in page, but with a Dropbox logo.

Suddenly, I became uneasy. I had never seen the hospital use Dropbox. I use Dropbox for personal use, and this did not look like the standard page.

I called the hospital liaison on the phone.

Her response was immediate: “No! Don’t click on it! You are one of many! My computer was hacked!”

But, I was possibly already in trouble. Yes, I had clicked on the PDF attachment. I had not clicked on the next link, but I was worried.

Hours later, I got a call back. Hospital IT had confirmed the email may have contained viruses. (Actually, they claimed this without even looking at the offending email.) “Don’t worry. Just change your password.”

So, the hospital’s computer system had just been hacked. The hospital’s physician liaison, using an official hospital computer inside the hospital’s official email program, had clicked on a link. The link infected the hospital’s computer system. The invading virus read the email system’s address book and obtained information on the hospital staff.

The infection had then created a very sophisticated counterfeit email which knew my full name and email — complete with the appropriate address block of the hospital liaison at the end of the email. It attached a malicious PDF file to the email and sent out the email to all of the hospital staff, physician, administrative and anyone else in her address book.

If it had not been so devious, one could admire the virus’s craftsmanship.

I had been tricked into clicking an attachment and possibly infected.

Hospital IT’s advice: “Change your password, and warn all of your email contacts that you may have been infected.”

Really?

Like many, I have hundreds of passwords and gazillions of email contacts.

Instead, I quickly made sure the computer in question had all of its Windows 10 updates installed. I ran updated antivirus software. Everything seemed clean.

The next morning, I received an email from Amazon. Someone was trying to access my account. I quickly logged in and found no surprise purchases.

But, I was really worried. What was happening?

Hours later, my son texted me from California, saying he had tried to access our account to make a purchase and had hit log-in trouble. His failed attempts resulted in the warning email.

I was relieved. The Amazon warning had nothing to do with the hospital email … I think.

I continue to watch for unauthorized activity. So far, there has been none. Maybe I am safe?

But — I am angry.

I am angry our local hospital computer system was hacked and launched an attack on me and others. The sophistication of the attack was shocking.

I am angry at the “laidback” response from the hospital owning the hacked computer system. Clearly, there has been a serious breach in hospital IT security, and the response sounds like: “Nothing to see here. Move along.”

I am angry at the IT response of “change your passwords and notify every email contact” as the blanket solution. Perhaps they would like to look at the email I and others received?

I wonder at the extent of the hospital computer system compromise. Was patient data exposed? No one seems to care.

I am angry computer systems are being rammed down our throats that are obviously not secure.

I am angry these things are simply so vulnerable.

Steven Mussey is an internal medicine physician.

Image credit: Shutterstock.com

View 2 Comments >

Get KevinMD's 5 most popular stories.