Hospital chain attack part of ongoing cybersecurity concerns
Diverted ambulances, cancer treatment delayed and electronic health records offline are just some of ripple effects of an apparent cyberattack on a major nonprofit health system that disrupted operations throughout the U.S. While CommonSpirit Health confirmed it experienced an ”“IT security issue” earlier this week, the company has remained mum when pressed for more details about the scope of the attack
Your support helps us to tell the story
From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.
At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.
The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.
Your support makes all the difference.
Diverted ambulances. Cancer treatment delayed. Electronic health records offline. These are just some of ripple effects of an apparent cyberattack on a major nonprofit health system that disrupted operations throughout the U.S.
While CommonSpirit Health confirmed it experienced an “IT security issue” earlier this week, the company has remained mum when pressed for more details about the scope of the attack. The health system giant has 140 hospitals in 21 states and as of Thursday, it's still unknown how many of its 1,000 care sites that serve 20 million Americans were affected.
Despite the lingering questions, the incident underscores the growing concerns surrounding ransomware attacks on health care systems with patient care at stake.
In Tacoma, Washington, Mark Kellogg told KING-TV that his wife, Kathy, had been scheduled to get a cancerous tumor on her tongue removed on Monday, but the procedure was put off several days due to the cyberattack. Virginia Mason Franciscan Health's parent company is CommonSpirit Health.
“Everything we do today is all on a computer and without it you’re back to the stone age writing on a tablet,” Kellogg said.
In Iowa, the Des Moines Register reported that the incident forced the diversion of five ambulances from the emergency department of the city’s MercyOne Medical Center to other medical facilities.
The incident forced both MercyOne and VMFH to take certain IT systems offline — including patients' electronic health records — as a precaution.
Brett Callow, a threat analyst with cybersecurity provider Emsisoft, said the incident could be “the most significant attack on the healthcare sector to date” if all CommonSpirit hospitals and other facilities were affected.
Emsisoft has tracked at least 15 health care systems in the U.S. affected by ransomware this year, which manage more than 60 hospitals. Callow said data was stolen in 12 of the 15 instances, adding that those are almost surely undercounts as some ransomware attacks aren’t widely reported.
Callow said one of the largest known attacks within health care came in September 2020 when a ransomware attack struck all 250 health care facilities owned by Universal Health Services.
CommonSpirit’s incident could exceed that depending on how many of its facilities were hit. That could mean the company faces large financial costs to get through the incident and recover.
Callow cited the loss of more than $100 million reported by Scripps Health tied to a 2021 ransomware attack that affected its five hospitals in California as an example.
A spokesperson for CommonSpirit did not respond to messages seeking updated information on the incident Thursday.
The most worrying effect of any substantial attack on healthcare is on patients, Callow said.
“I’ve seen reports that at least one of the impacted hospitals had to divert ambulances to other facilities and that delay in getting people the care they need could obviously represent a risk to the lives of patients,” he said. “Beyond that, these incidents can have a long term impact on patient outcomes — delaying treatments, for example.”
In 2020, the FBI and other federal agencies warned that they had credible information that cybercriminals could unleash a wave of data-scrambling extortion attempts against U.S. hospitals and health care providers.
That's because ransomware criminals are increasingly stealing data from their targets before encrypting networks, using it for extortion. They often sow the malware weeks before activating it, waiting for moments when they believe they can extract the highest payments.
Health care is classified by the U.S. government as one of 16 critical infrastructure sectors, and health care providers are seen as ripe targets for hackers.
If patient data is accessed, health care providers are required by law to notify the Department of Health and Human Services.
___
Kruesi reported from Nashville, Tenn.