Hospital chain attack part of ongoing cybersecurity concerns

Oct 6, 2022, 1:32 AM | Updated: 4:13 pm

The MercyOne Des Moines Medical Center campus is seen, Thursday, Oct. 6, 2022, in Des Moines, Iowa....

The MercyOne Des Moines Medical Center campus is seen, Thursday, Oct. 6, 2022, in Des Moines, Iowa. Diverted ambulances. Cancer treatment delayed. Electronic health records offline. These are just some of ripple effects of an apparent cyberattack on the major nonprofit health system that disrupted operations throughout the U.S. Meanwhile, The Des Moines Register said the incident occurred Monday, Oct. 3, 2022, and forced the diversion of five ambulances from the emergency department of the city's Mercy One Medical Center to other medical facilities. (AP Photo/Charlie Neibergall)

(AP Photo/Charlie Neibergall)

CHICAGO (AP) — Diverted ambulances. Cancer treatment delayed. Electronic health records offline. These are just some of ripple effects of an apparent cyberattack on a major nonprofit health system that disrupted operations throughout the U.S.

While CommonSpirit Health confirmed it experienced an “IT security issue” earlier this week, the company has remained mum when pressed for more details about the scope of the attack. The health system giant has 140 hospitals in 21 states. As of Thursday, it’s still unknown how many of its 1,000 care sites that serve 20 million Americans were affected.

Despite the lingering questions, the incident underscores the growing concerns surrounding ransomware attacks on health care systems with patient care at stake.

In Tacoma, Washington, Mark Kellogg told KING-TV that his wife, Kathy, had been scheduled to get a cancerous tumor on her tongue removed on Monday, but the procedure was put off several days because of the cyberattack. Virginia Mason Franciscan Health’s parent company is CommonSpirit Health.

“Everything we do today is all on a computer, and without it you’re back to the stone age writing on a tablet,” Kellogg said.

In Iowa, the Des Moines Register reported that the incident forced the diversion of five ambulances from the emergency department of the city’s MercyOne Medical Center to other medical facilities.

The incident forced both MercyOne and VMFH to take certain IT systems offline — including patients’ electronic health records — as a precaution.

Brett Callow, a threat analyst with cybersecurity provider Emsisoft, said the incident could be “the most significant attack on the health care sector to date” if all CommonSpirit hospitals and other facilities were affected.

Emsisoft has tracked at least 15 health care systems in the U.S. affected by ransomware this year, which manage more than 60 hospitals. Callow said data was stolen in 12 of the 15 instances, adding that those are almost surely undercounts as some ransomware attacks aren’t widely reported.

Callow said one of the largest known attacks within health care came in September 2020 when a ransomware attack struck all 250 health care facilities owned by Universal Health Services.

CommonSpirit’s incident could exceed that, depending on how many of its facilities were hit. That could mean the company faces large financial costs to get through the incident and recover.

Callow cited the loss of more than $100 million reported by Scripps Health tied to a 2021 ransomware attack that affected its five hospitals in California as an example.

Asked for more information on the incident and its effects on Thursday, a spokesperson for CommonSpirit said the health system could not provide more details.

The most worrying effect of any substantial attack on healthcare is on patients, Callow said.

“I’ve seen reports that at least one of the impacted hospitals had to divert ambulances to other facilities and that delay in getting people the care they need could obviously represent a risk to the lives of patients,” he said. “Beyond that, these incidents can have a long-term impact on patient outcomes — delaying treatments, for example.”

In 2020, the FBI and other federal agencies warned that they had credible information that cybercriminals could unleash a wave of data-scrambling extortion attempts against U.S. hospitals and health care providers.

That’s because ransomware criminals are increasingly stealing data from their targets before encrypting networks, using it for extortion. They often sow the malware weeks before activating it, waiting for moments when they believe they can extract the highest payments.

Health care is classified by the U.S. government as one of 16 critical infrastructure sectors Health care providers are seen as ripe targets for hackers.

If patient data is accessed, health care providers are required by law to notify the Department of Health and Human Services.


Kruesi reported from Nashville, Tennessee.

Copyright © The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.


climate change...

Associated Press

2 lawsuits blame utility for eastern Washington fire that killed man and burned hundreds of homes

Two lawsuits have been filed against an electric utility for allegedly sparking a fire in eastern Washington that killed a man and burned approximately 240 homes.

1 day ago

Seattle non-profits...

Associated Press

Oregon man convicted of murder in fatal shooting of sheriff’s deputy in Washington state

A jury has convicted an Oregon man of murder in the fatal shooting of a sheriff’s deputy in Washington state.

2 days ago

Image: Former U.S. President Donald Trump speaks to a crowd during a campaign rally on Monday, Sept...

Associated Press

Judge rules Donald Trump defrauded banks, insurers while building real estate empire

A judge ruled Tuesday that Donald Trump committed fraud for years while building the real estate empire that catapulted him to fame and the White House.

3 days ago

FILE - The Amazon logo is displayed, Sept. 6, 2012, in Santa Monica, Calif. Amazon's profitable clo...

Haleluya Hadero, Associated Press

Amazon sued by FTC and 17 states over allegations it inflates online prices and overcharges sellers

The FTC filed an antitrust lawsuit against Amazon on Tuesday, alleging the e-commerce behemoth uses its position in the marketplace to inflate prices

3 days ago

KYIV, UKRAINE - 2022/09/03: A man looks at an image generated based on the stories of displaced chi...

Associated Press

Tech companies try to take AI image generators mainstream with better protections against misuse

Artificial intelligence tools that can conjure whimsical artwork or realistic-looking images from written commands started wowing the public last year. But most people don't actually use them at work or home.

3 days ago

Image: Actor David McCallum attends an event for "NCIS" during the 2009 Monte Carlo Television Fest...

Associated Press

David McCallum, star of hit series ‘The Man From U.N.C.L.E.’ and ‘NCIS,’ dies at 90

Actor David McCallum, who was the eccentric medical examiner in the popular "NCIS," has died. He was 90.

4 days ago

Sponsored Articles

Swedish Cyberknife...

September is Prostate Cancer Awareness Month

September is a busy month on the sports calendar and also holds a very special designation: Prostate Cancer Awareness Month.

Ziply Fiber...

Dan Miller

The truth about Gigs, Gs and other internet marketing jargon

If you’re confused by internet technologies and marketing jargon, you’re not alone. Here's how you can make an informed decision.

Education families...

Education that meets the needs of students, families

Washington Virtual Academies (WAVA) is a program of Omak School District that is a full-time online public school for students in grades K-12.

Emergency preparedness...

Emergency planning for the worst-case scenario

What would you do if you woke up in the middle of the night and heard an intruder in your kitchen? West Coast Armory North can help.

Innovative Education...

The Power of an Innovative Education

Parents and students in Washington state have the power to reimagine the K-12 educational experience through Insight School of Washington.

Medicare fraud...

If you’re on Medicare, you can help stop fraud!

Fraud costs Medicare an estimated $60 billion each year and ultimately raises the cost of health care for everyone.

Hospital chain attack part of ongoing cybersecurity concerns