Public Media for Central Pennsylvania
Play Live Radio
Next Up:
0:00 0:00
Available On Air Stations

Small Indiana Nonprofit Falls Victim To Ransom Cyberattack

Everything was missing. Client files, financial data — all gone one Wednesday morning from the servers of Cancer Services of East Central Indiana — Little Red Door.

The small, Muncie-based nonprofit had been hit by a cyberattack like those that locked computers around the world last week.

The organization was hacked in January and, months later, is still recovering.

Executive Director Aimee Robertson-Fant says the group couldn't figure out what happened to its data when it went missing from the server.

What hackers did was "diabolical"

Adding to the confusion, she says, her staff started getting strange text messages "saying that 'they were going to be our new best friends' and that 'they were going to help us.' "

Next came the email with the subject line "Cancer Sucks, But We Suck More!"

"It was diabolical. It was cruel," Fant says. "They were brutal."

Hackers accessed the nonprofit's server after a staffer inadvertently downloaded malware from an email. The hackers wanted 50 bitcoin, or what was then about $43,000, to return the data and keep it private.

"I hate to use the word traumatic, but it was," Fant says. "You just don't understand what's happening, you just — it's sort of an out of body experience, where we just couldn't figure out why someone would be doing this to us."

Aimee Robertson-Fant went to work for Little Red Door after her mother used its services during her own battle with cancer. She calls the hack "traumatic."
Annie Ropeik / Indiana Public Broadcasting
Indiana Public Broadcasting
Aimee Robertson-Fant went to work for Little Red Door after her mother used its services during her own battle with cancer. She calls the hack "traumatic."

Fant says the FBI told her it has been investigating this group of hackers, and that they probably wanted sensitive information, such as bank account or Social Security numbers.

The hackers did not attack another nonprofit, the Little Red Door Cancer Agency, which is based in Indianapolis.

Hackers published private letters

But Little Red Door doesn't keep anything like that on file, Fant says. So when it decided not to pay the ransom, the hackers posted what they did have.

"It was pretty despicable," Fant says. "We send out grief letters to families [of] clients who have passed away, and they did publish some grief letters — on Twitter."

Michael Wolfe, chief technology officer of Muncie-based software firm Ontario Systems, says organizations like Little Red Door are "only secure as your weakest link in the chain," making them susceptible to hacking.

"So you need to be prepared for what you will do if that happens," he says, "because the likelihood of that happening is increasing daily."

Wolfe volunteered to help Little Red Door secure what data they could. But they couldn't recover everything.

Fant says her staff has spent months painstakingly entering client information, from handwritten notes and manila folders piled and filed all over the office, back into their computers.

Patient advocate Diana Rinker has been cheerfully leading that effort.

"I have a month of back data to enter," she says. She hoped to finish it that day. Then, she says, "we'll be caught up on this end."

Rinker was herself diagnosed with cancer just before the hack. She says she's been on data entry duty between rounds of chemotherapy.

"It's made it a little stressful," she says. "But it's so nice when our clients come in, because we've not had one client that hasn't been understanding."

Lesson for small businesses

Little Red Door has struggled since the hack with more than just paperwork. Without all its data in hand it hasn't been able to get much of the grant funding that pays its bills.

Michael Wolfe, the software company CTO, says there's a lesson here for small nonprofits and businesses.

"Stop. Sit down with your board. ... and think through some questions about: What is your IT infrastructure? Where do you store data? What is your data?" he says. "I'm sure that there are improvements to be made that could prevent devastation."

Hackers don't discriminate, he says, and no matter how small your business or how noble your nonprofit's mission, you could be vulnerable.

Copyright 2021 IPBS. To see more, visit IPBS.

Corrected: June 19, 2017 at 12:00 AM EDT
This story has been edited to add that Cancer Services of East Central Indiana – Little Red Door is separate from the Little Red Door Cancer Agency in Indianapolis, which was not the target of a cyberattack.
Annie Ropeik reports on state economy and business issues for all Indiana Public Broadcasting stations, from a home base of WBAA. She has lived and worked on either side of the country, but never in the middle of it. At NPR affiliate KUCB in Alaska's Aleutian Islands, she covered fish, oil and shipping and earned an Alaska Press Club Award for business reporting. She then moved 4,100 miles to report on chickens, chemicals and more for Delaware Public Media. She is originally from the D.C. suburb of Silver Spring, Maryland, but her mom is a Hoosier. Annie graduated from Boston University with a degree in classics and philosophy. She performs a mean car concert, boasts a worryingly encyclopedic knowledge of One Direction lyrics and enjoys the rule of threes. She is also a Hufflepuff.