Anatomy of a Breach

Anatomy of a Breach: Hollywood Presbyterian — The Hospital That Paid $17,000 in Bitcoin to Get Its Systems Back

> series: anatomy_of_a_breach —— part: 086 —— target: hollywood_presbyterian —— ransom: 40_bitcoin —— systems_down: 10_days<span class="cursor-blink">_</span>_

Hedgehog Security 28 February 2016 13 min read
ransomware hollywood-presbyterian hospital healthcare bitcoin patient-safety series
Breach #086

A hospital. Ten days without systems. $17,000 in Bitcoin to get them back.

In February 2016, Hollywood Presbyterian Medical Center in Los Angeles was infected with Locky ransomware that encrypted servers, workstations, and medical systems across the hospital. Staff were unable to access electronic health records, email, or laboratory results. Some patients were diverted to other hospitals. The hospital reverted to paper records and fax machines — essentially operating as it would have in the 1980s.

After over a week of disruption, CEO Allen Stefanek authorised payment of the 40 Bitcoin ransom (approximately $17,000 at the time) — describing it as 'the quickest and most efficient way to restore our systems.' The decryption key was provided and systems were restored. The payment, while modest compared to later ransomware demands, set a precedent: hospitals would pay because they could not afford not to. Healthcare — with its life-or-death dependence on system availability, its legacy infrastructure, and its limited IT budgets — was the perfect ransomware target. CryptoLocker had created the template; Hollywood Presbyterian proved it worked against healthcare.

Why Healthcare Is the Perfect Target
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Life-or-death urgency, legacy systems, limited budgets.

Patient Safety Creates Urgency to Pay
When a hospital's systems are encrypted, patient care is directly at risk. Clinicians cannot access medical histories, allergies, medications, or test results. The urgency to restore systems — measured in patient safety, not just business continuity — creates enormous pressure to pay. This makes healthcare the most lucrative ransomware target. Our <a href="/blog/sector-under-the-microscope-healthcare">healthcare sector analysis</a> examines this vulnerability.
Legacy Systems and Flat Networks
Hospitals run legacy medical systems that cannot be easily patched, on flat networks with minimal segmentation. The same conditions that enabled <a href="/blog/anatomy-of-a-breach-nhs-trust-fines-2011">repeated NHS data losses</a> also create ideal conditions for ransomware propagation. Our <a href="/penetration-testing/infrastructure">infrastructure testing</a> assesses network segmentation and legacy system isolation.
The Ransom Was Rational
At $17,000, the ransom was a fraction of the cost of continued downtime — estimated at hundreds of thousands of dollars per day in diverted patients, cancelled procedures, and staff overtime. The economic calculus made payment the rational choice, which is exactly why ransomware works. The defence is preventing the encryption from happening in the first place.
Foreshadowing the NHS WannaCry Attack
Hollywood Presbyterian in 2016 foreshadowed what would happen to the UK's NHS in May 2017 when WannaCry ransomware encrypted systems across multiple trusts. The warning signs were clear: healthcare infrastructure was vulnerable, the attack model was proven, and the sector had not prepared. <a href="/cyber-essentials">Cyber Essentials</a> provides the baseline controls that reduce ransomware risk.
Ransomware Defence for Healthcare

Prevention is cheaper than paying the ransom.

For UK healthcare organisations, the Hollywood Presbyterian attack was a direct warning. The controls that prevent ransomware are the same controls this series has advocated for eight years: prompt patching (Cyber Essentials Danzell mandates 14-day patching), email security and staff awareness (social engineering assessments), network segmentation to limit propagation (infrastructure testing), immutable offline backups that are regularly tested, MFA on all remote access, and continuous SOC monitoring for healthcare that detects ransomware deployment before encryption completes.

UK Cyber Defence provides the incident response capability when ransomware strikes — including forensic investigation, containment, recovery support, and negotiation advice. Because the $17,000 ransom that Hollywood Presbyterian paid was the opening bid. By 2025, ransomware demands against healthcare organisations would reach millions.

Healthcare Ransomware Defence

$17,000 in 2016. Millions in 2025. Is your healthcare organisation prepared for ransomware?

<a href="/cyber-essentials">Cyber Essentials</a> reduces ransomware risk. <a href="/penetration-testing/infrastructure">Infrastructure testing</a> validates segmentation. <a href="https://www.socinabox.co.uk/sectors/gp-surgeries">SOC in a Box for Healthcare</a> detects ransomware deployment.

Commission a Healthcare Assessment Next: Panama Papers
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 30 September 2020

Anatomy of a Breach: Düsseldorf University Hospital — The First Ransomware-Linked Death

Breach #141. In September 2020, Düsseldorf University Hospital in Germany was hit by ransomware that encrypted 30 servers and forced the hospital to deregister from emergency care. A woman requiring emergency treatment was diverted to a hospital 30 kilometres away and died during the delay. German police investigated the case as negligent homicide — the first known instance of a death directly linked to a ransomware attack. The ransomware exploited a known Citrix VPN vulnerability (CVE-2019-19781) that had been patched nine months earlier. The case that proved ransomware against healthcare can kill.

ransomware hospital
14 min read
Anatomy of a Breach 28 February 2026

Anatomy of a Breach: BridgePay and University of Mississippi Medical Center — Payment Systems and Patient Care Both Disrupted by Ransomware

Breach #206. February 2026 saw ransomware disrupt two critical services. BridgePay — a payments platform serving city governments and municipalities — was hit by ransomware that disrupted payment processing for local government customers across the US, with systems not fully restored until 28 February. The University of Mississippi Medical Center was forced to close clinics after ransomware disabled IT systems and electronic health records, requiring clinicians to revert to manual downtime procedures for patient care. The clinics reopened on 2 March. Both incidents demonstrated that ransomware continues to target the systems that people depend on most — government payments and healthcare.

bridgepay ransomware
13 min read
Anatomy of a Breach 30 June 2021

Anatomy of a Breach: The Irish HSE and JBS — When Ransomware Hit Healthcare and the Food Supply in the Same Month

Breach #150. In May-June 2021, ransomware struck two critical infrastructure sectors simultaneously. On 14 May, Conti ransomware devastated Ireland's Health Service Executive (HSE), forcing hospitals to cancel thousands of appointments, revert to paper records, and delay cancer treatments — with full recovery taking over four months and costing an estimated €100 million. On 30 May, REvil ransomware hit JBS — the world's largest meat processing company — forcing closure of plants in the US, Canada, and Australia, and triggering fears of food supply disruption. JBS paid $11 million in ransom. Two critical sectors. Two weeks apart. The ransomware epidemic against essential services had reached crisis proportions.

ransomware irish-hse
15 min read
All Posts Get in Touch