Clinical Trials Hit by Ransomware Attack


According to the New York Times a recent incident was yet another reminder of the increasing risks to medical device and other healthcare companies.

Contract research organizations (CROs) helping manage clinical trials  were victims of the attack on eResearchTechnology (ERT), a Philadelphia company that sells software used in hundreds of clinical trials including the effort to develop treatments, tests and vaccines for the coronavirus.

The attack began when employees discovered that they were locked out of their data by ransomware, an attack that holds victims' data hostage until they pay to unlock it.  

IQVIA, a CRO helping manage AstraZeneca's Covid vaccine trial and Bristol Myers Squibb, the drugmaker leading a consortium of companies to develop a quick test for the virus were among those affected.  ERT said clinical trial patients were never at risk.

ERT has not said how many clinical trials were affected, but its software is used in drug trials across Europe, Asia and North America. It was used in three-quarters of trials that led to drug approvals by the Food and Drug Administration last year, according to its website.

On Friday, Drew Bustos, ERT's vice president of marketing, confirmed to the NYT that ransomware had seized its systems on Sept. 20.  As a precaution, Mr. Bustos said, the company took its systems offline that day, called in outside cybersecurity experts and notified the Federal Bureau of Investigation.

The attack on ERT follows another major ransomware attack last weekend on Universal Health Services, a major hospital chain with more than 400 locations, many in the United States.  NBC News first reported the attack on UHS on Monday, and said it appeared to be "one of the largest medical cyberattacks in United States history."

A ransomware attack in Germany resulted in the first known death from a cyberattack in recent weeks, after Russian hackers seized 30 servers at University Hospital Düsseldorf, crashing systems and forcing the hospital to turn away emergency patients.  As a result, the German authorities said, a woman in a life-threatening condition was sent to a hospital 20 miles away in Wuppertal and died from treatment delays.

One of ERT's clients, IQVIA, said it had been able to limit problems because it had backed up its data. Bristol Myers Squibb also said the impact of the attack had been limited, but other ERT customers had to move their clinical trials to pen and paper.  

"Health care, pharmaceutical and research sectors working on Covid-19 response should all be aware they are the prime targets of this activity and take the necessary steps to protect their systems," the agencies said.

Original article: (Credit...Kristoffer Tripplaar/Sipa, via Associated Press By Nicole Perlroth) Published Oct. 3, 2020, Updated April 27, 2021