Investigation Confirms No Patient or Employee Information

Compromised in Cyberattack on ARH system

November 15, 2016 - After a thorough investigation into the late August cyberattack on the
Appalachian Regional Healthcare (ARH) system, findings from independent computer forensic
experts as well federal authorities have determined that no ARH patient or employee health or
financial information was comprised in the attack.
According to Mainstream Security (MS), the expert digital forensic team contracted to provide
incident response and forensic investigation services during the incident, the ransomware
incident that occurred on August 27 and kept the ARH computer system down for nearly two
weeks was identified through a combined forensics analysis by Mainstream Security, the United
States Department of Homeland Security and the Federal Bureau of Investigation as a new
malware that had not been previously observed by the DHS or the FBI.
The investigation determined that the malware which was used in the attack on ARH was
designed to affect only computers that run on the Windows operating system. Mainstream
Security says the malware was only able to access files on one ARH test server used to test
certain software programs before they are rolled out to ARHs hospital locations. This test
server did not house any health or personal information for ARH patients or employees.
According to Mainstream Securitys findings, the malware did not gain access to information on
computers on the ARH network, which do not run on the Windows operating system, and no
personal or protected health information (PHI) was accessed on those computers throughout
ARHs locations in eastern Kentucky and southern West Virginia.
The Mainstream Security team says that based on all factors they used in the investigation, it is
reasonable to conclude that no ARH PHI was acquired or viewed by the threat actors. Issues
that caused the attack to be successful have been remediated and the threat actors no longer
have access to the system. MS determined that there was no malware implanted that would
allow future access. The threat actors only had access one day before the discovery and that
access was only to a very limited set of files and none of these files included PHI of ARH.

As the health system continues to move forward tighter security measures are in place, and
ARH has contracted with SDG Blue, an experienced IT security organization with a focus on the
recent Office of Civil Rights (OCR) Phase II HIPAA audits. SDG Blue will be completing annual
HIPAA Security Risk Assessments, periodic firewall penetration testing, and upgrades to all the
layers of security protection engineered to forestall threats and exposures in the internet of
today.

In this electronic age in which we operate, these types of occurrences are unfortunately
becoming increasingly sophisticated, and no company large or small - is fully immune. Thanks
to the swift response of our ARH Information Technology team, this malware was quickly
detected, and as a safeguard all ARH computers and web-based services were immediately
shut down and remained down until we could fully investigate the nature and source of the
attack, ARH President and CEO Joe Grossman said. We are proud of the manner in which our
team handled this incident as well as the dedication and teamwork that was shown by our
employees working throughout our ARH facilities as they rose to the occasion and
demonstrated just how resilient our healthcare team can be no matter what challenge may
come our way.

Appalachian Regional Healthcare (ARH), is a not-for-profit health system operating

11 hospitals, multi-specialty physician practices, home health agencies, home medical
equipment stores and retail pharmacies in Kentucky and West Virginia. ARH employs
nearly 5,000 people with an annual payroll and benefits of $297 million generated into
our local economies. ARH also has a network of more than 600 active and courtesy
medical staff members. ARH is the largest provider of care and single largest employer
in southeastern Kentucky and the third largest private employer in southern West
Virginia, and is consistently recognized for its medical excellence.