Chicago – Ambulance diverted. Delay in cancer treatment. Electronic health records Offline These are some of the ripple effects of an apparent cyber attack on a major nonprofit health system that disrupted operations across the US.
While CommonSpirit Health confirmed it had experienced an “IT security issue” earlier this week, the company remained silent when pressed for further details about the scope of the attack. The health system giant has 140 hospitals across 21 states. As of Thursday, it was still unknown how many of its 1,000 care sites that serve 20 million Americans were affected.
Despite the lingering questions, the incident underscores the growing concerns surrounding Ransomware attacks On health care systems with patient care at stake.
In Tacoma, Washington, Mark Kellogg told KING-TV that his wife, Kathy, had a cancerous tumor on her tongue removed Monday, but the cyber attack delayed the procedure for several days. CommonSpirit Health is the parent company of Virginia Mason Franciscan Health.
“Everything we do today is on a computer, and without it you’re back in the stone age writing on a tablet,” Kellogg said.
In Iowa, the Des Moines Register reported that the incident forced the diversion of five ambulances from the city’s emergency department. MercyOne Medical center for other medical facilities.
The incident forced both MercyOne and VMFH to take certain IT systems offline as a precaution — including patients’ electronic health records.
Brett Callow, threat analyst with Cyber security provider mcsoftsaid the incident could be “the most significant attack on the health care sector to date” if all CommonSpirit hospitals and other facilities were affected.
Microsoft has tracked at least 15 health care systems in the US, which operate more than 60 hospitals, affected by the ransomware this year. Data was stolen in 12 of the 15 cases, Kallow said, adding that those are almost certainly fewer because some ransomware attacks are not widely reported.
The largest known attack in health care occurred in September 2020 when a ransomware attack hit all 250 health care facilities owned by Universal Health Services, Kello said.
A CommonSpirit incident may exceed that, depending on how many of its facilities are hit. It can mean that the company faces huge financial costs to survive and recover from the incident.
Kello cited as an example the loss of more than $100 million reported by Scripps Health linked to a 2021 ransomware attack that affected five of its hospitals in California.
Asked for more information about the incident and its implications Thursday, a spokeswoman for CommonSpirit said the health system could not provide further details.
The most worrisome impact of any significant attack on healthcare is on patients, Kello said.
“I have seen reports that at least one affected hospital had to divert ambulances to other facilities and the delay in people getting the care they need can obviously represent a risk to patients’ lives,” he said. “Furthermore, these events can have a long-term impact on patient outcomes – for example delaying treatment.”
In 2020, the FBI and other federal agencies warned that they had credible information that cybercriminals could launch a wave of data-scrambling extortion attempts against US hospitals and health care providers.
That’s because ransomware criminals are increasingly stealing data from their targets before encrypting the network, using it for extortion. They often plant the malware weeks before activating it, waiting for the moments when they believe they can pay off the most.
With health care classified as one of 16 critical infrastructure sectors by the US government, health care providers are seen as a perfect target for hackers.
If patient data is accessed, health care providers are required by law to notify the Department of Health and Human Services.
___
Krusey reported from Nashville, Tennessee.
