An Unseen Threat Actor Attacks a Critical Access Hospital's Digital Network in Sandusky, Michigan
As soon as information technology (IT) systems began shutting down, the IT team at McKenzie Health System, a
Critical Access Hospital (CAH) in Sandusky, Michigan, knew they had a problem. On or about March 11, 2022,
according to Steve Barnett, the chief executive officer (CEO) of McKenzie Health System, the IT team
notified him that the CAH's computer and information systems were under attack from an unknown threat actor.
A threat actor exploits weaknesses in computers, firewalls, IT networks, and systems to carry out malicious
attacks in the digital space. They operate in secrecy on the dark web and continually probe for
vulnerabilities in information systems through phishing attempts via bogus emails that contain viruses or
After a thorough but quick forensic investigation, McKenzie Health's IT director determined that the attack
originated approximately 24 hours prior to discovery and the threat actors were demanding a 7-figure ransom
to prohibit the release of potential personal health information (PHI) and other private information on the
dark web. During the effort to identify the breached data and contain the attack, the hospital was unable to
immediately determine the source of the attack, but Barnett said the most likely culprit was a phishing
email that managed to get through their spam software and allow the delivery of additional malicious
He described the attack as a “smash and grab,” similar to a robbery where the perpetrators do
not have a specific target in mind but take as much as they can until they are discovered and then get out.
The initial phase of the response for McKenzie Health involved determining what was happening, where the
attack was coming from, and who was responsible. Because the IT team needed to rebuild the lost information
and get downed systems back online quickly, the hospital first attempted to de-escalate the threat by taking
operations totally offline. Barnett said his team responded well and naturally flipped over to paper
systems. He attributed this fluidity between old tech and new tech to being rural and being accustomed to
dealing with interruptions to the digital pipeline from time to time. According to him, the team is very
familiar with what to do if a tool fails and that they must do things differently in those instances.
Barnett added, “That is the nature of rural versus urban. You learn to adapt more quickly in both
directions.” As the time offline increased, however, staff anxiety increased and that amplified the
need to rebuild and get back online as quickly as possible.
One challenge to initiating such a quick recovery and rebuilding systems in a cyberattack is the risk of
destroying clues about where the attack is coming from and who is responsible. This risk must be weighed
against the damage that is being done. Barnett thought the hospital may have started the recovery a little
too quickly, but with all of the involvement of lawyers, threat actor negotiators, and the need to examine
and isolate the affected systems, decisions had to be made. He also commented that their cybersecurity
insurance company was advising and assisting the hospital the entire time.
When it was determined that the attack did not seem to go as deep as previously thought, and with the
recovery of files and information already in progress, McKenzie Health made the gut-check decision to not
pay the ransom. The IT team restored computer and IT systems to 12 hours prior to the attack. Barnett
described the conversation:
“It's Saturday night, about 8:00 or 9:00. I am on the phone with my IT director, chief operations
officer (COO), and chief financial officer (CFO). We are aware of the problem; we have some sense of what
happened and what was penetrated. My IT director has done a search of the dark web and looked at who he
thinks it is. We have to make a judgment call about their integrity. What do they want? How is this going to
go? We have no guarantee that if we pay, it will prevent the release of [information] they were able to get.
It did not feel like we were going to be able to win and I am not a fan of paying people to behave badly or
do bad things to you. So, we made the decision not to pay the ransom.”
Another important part of the decision was an analysis conducted by the leadership team. The analysis
determined that McKenzie Health was taking the appropriate precautions, had implemented preventive training,
and had the proper firewalls and security in place to attempt to prevent such attacks. They believed federal
officials would look at this information in any future audits of the incident.
Despite having a breach, Barnett credited his hospital's firewalls and continuous education about phishing
emails for keeping out many other potential threats. He said they cannot stress enough that bad actors are
always waiting to take advantage of a situation. The hospital constantly communicates to staff the need to
be vigilant and educates them on ways to identify phishing emails. Barnett stressed, “They are trying
to get you to push a button in an email. We teach staff to look at the email address and domain. If what is
being asked does not seem logical, stop. Email is where you are most vulnerable but we're not going to take
email away from everybody, so we have to educate people to use it wisely and purposefully.”
He also emphasized the disaster recovery efforts that McKenzie Health had in place as being critical:
“When our insurance broker started talking about the need for cybersecurity insurance 5 or 6 years
ago, none of it made a lot of sense, but the threat seemed real enough, so we went with something limited
and expanded over time. The costs for this sort of thing can add up fast with law firms, risk assessment,
the threat actor negotiator; it is crazy. In addition, all of this is crucial because the incident must be
reported to the proper authorities, and you need to prepare for any future audits from the federal
government. They can audit you at any time and you may have additional penalties.”
McKenzie Health also engaged a disaster recovery organization prior to the incident and has redundancy in
their IT system through a remote server that is isolated from the hospital network in an offsite location.
Their IT system backs up approximately every 12 hours, which aided in the recovery of critical processes and
Given the nature of the breach, McKenzie Health did not release a formal statement to the media. However, in
a small community, news travels fast and the local newspapers and radio station began inquiring about what
happened. The hospital leaned on the expertise of their attorney to develop messages that could be shared
with the media. Barnett said McKenzie Health asked the media to “give us time to figure this
out” and the request was respected.
The hospital then began putting together a patient notification list that was tiered by potential risk based
on what personal information might have been compromised. The disaster recovery service professionals
engaged by the cybersecurity insurance company aided McKenzie Health with messaging, determining what
services needed to be provided to the individuals in the different potential exposure tiers, and the
hospital also provided monthly credit monitoring for a year for those individuals at the highest tier.
“It's no longer news, but the notification process continued to elicit calls and questions for the
facility,” said Barnett.
Nearly four months later, they are still not done. McKenzie Health continues to be involved with their
disaster recovery team. Barnett said the hospital has learned a lot. “Our firewalls are continually
learning,” Barnett explained. “We are building better firewalls. We are also trying to go virtual as
much as possible, working to find a good path to access software from a central location and limit another
Barnett encouraged healthcare leaders not to be naïve. “If you are operating in an electronic
environment, as most healthcare providers are, it is not if you will suffer a cyberattack, it is
when you will become a victim and so organizations should make sure they are educating,
communicating, and preparing for disaster recovery. They [threat actors] are going to get in.”
One of the barriers encountered during the recovery was a lack of understanding about some of the
characteristics of McKenzie Health's electronic health record (EHR) that might have been helpful to know
during the offline period. This reduced the time it took to rebuild the records after systems came back
online. Barnett encouraged healthcare organizations to learn about their EHR systems. “We learned
after this process some things about our EHR that would have been helpful to know and would have been
beneficial in the recovery. We essentially had an impenetrable, closed system for progress notes that could
have helped in the rebuild,” Barnett shared.
Barnett recommended continually educating staff on determining whether an email is real or a phishing
attempt. Barnett shared that threat actors are constantly sending out emails in the CEO's name asking
employees to complete a task or make a purchase. He encouraged teaching people to focus, stop, and think,
“Would that person really ask me to do that?” before responding to suspicious emails.
Barnett also suggested “looking at educational opportunities, going to sessions at conferences, and
finding out what you need to be paying attention to. Don't wait until it happens to you.”
Steve Barnett, Chief Executive Officer
McKenzie Health System
Opinions expressed are those of the interviewee(s) and do not necessarily reflect the views of the Rural
Health Information Hub.