Trojan virus corrupts files at Haley VA Hospital

Posted at 10:28 AM, Sep 17, 2015
and last updated 2015-09-17 10:28:51-04

A cyber attack forced the James A. Haley VA Medical Center to partially shut down a computer drive shared by thousands of employees for days while experts assessed the damage.

The servers inside the hospital contain sensitive personal and medical information about nearly 100,000 veterans and 5,000 employees.

The VA discovered Friday that the data was put at risk by a Trojan virus discovered on a computer drive shared by 4,000 employees.

The virus corrupted multiple files.

“It is highly likely this was an employee who fell for a fishing scam that was sent by the bad guys,” said Stu Sjouwerman, who is CEO of a Tampa Bay cyber security company called KnowBe4.

His staff trains employees from more than 2,000 companies and local governments to avoid becoming victims of cyberattacks.

“In 2015, there were twice as many data breaches as in 2014 and 2013 combined,” Sjouwerman said.

The VA is a frequent target.

A monthly report to Congress from July shows the VA was targeted about 1.2 Billion times by intrusion attempts, malware and suspicious emails.

Here’s a link to that report:

In a statement regarding the Haley cyberattack, the VA said:

On Friday, mandatory, anti-virus protections that are in place detected and deleted a Trojan virus on the "S drive" (which is a shared drive on a server for employees to store documents and other files). On review, it was determined that the virus had corrupted some files on the S drive prior to deletion. As a result, files on that drive were made read-only while internal scanning operations were performed to fully remediate the virus and ensure the integrity of the system. According to our Information Security Officials, there was no breach of data and patient care operations were not affected. Files were made read only and any changes were able to be saved locally or to another server while remediation was taking place. The ISO and regional OI&T staff have completed the final checks on the remediation process and all employees have full access to the S drive again. The corrupted files will be restored to the server via a backup copy.

Karen Collins, Chief, Communications & Media Service, James A. Haley Veterans’ Hospital & Clinics

“This is very hard to know how much data left the building. So they can say they caught it in time, but who knows,” said Sjouwerman.

His business is booming, thanks to the increase in cyberattacks.

On the wall at the KnowBe4  is a real-time map of cyberattacks going on around the globe.

It never stops lighting up.

“Every day, 24 hours a day,” said Sjouwerman. “For instance in China, there's a couple of thousand guys who do nothing else, who work in shifts.”

Sjouwerman says it takes an average of 220 days from the time of the initial breach until all the damage is discovered.

He reminds people not to click in attachments you don't ask for or links on emails, if you don't know where they go.

“It's one click. One click is enough,” Sjouwerman said.

If you have a story you’d like the I-Team to investigate, contact us at