Cyberattack leaves hospitals scrambling in several states

A recent attack was the latest to illustrate the potential of cybercriminals to cause havoc across an interstate health system.

The Los Angeles-based Prospect Medical Holdings system incurred a ransomware attack Aug. 3 that temporarily required some patients to be diverted from emergency departments and relegated hospitals to using paper records and incorporating other downtime procedures.

As of Monday, Aug. 7, the company had not determined when operations would return to normal. A banner on the company’s website said “all Prospect Medical facilities” were being affected.

In a statement issued soon after the attack, the company said that upon learning of what it called a “data security incident … we took our systems offline to protect them and launched an investigation with the help of third-party cybersecurity specialists. While our investigation continues, we are focused on addressing the pressing needs of our patients as we work diligently to return to normal operations as quickly as possible.”

The FBI is assisting in the investigation, according to reports.

Many facilities affected

Prospect Medical lists 11 individual hospitals and subsidiary health systems on its website, with locations in California, Connecticut, Pennsylvania and Rhode Island, along with 166 clinics in those states and others.

At the Eastern Connecticut Health Network (ECHN), a Prospect Medical affiliate with hospitals in the towns of Manchester and Vernon, the emergency departments (EDs) diverted ambulance arrivals during the first day of the attack. Stroke patients also were being diverted on the first day.

ECHN on Friday also posted a notice saying elective surgery and gastrointestinal procedures, outpatient medical imaging at certain locations, outpatient blood draws and outpatient physical therapy were not available. (By late Monday afternoon, the list included only outpatient medical imaging and blood draws.) The system was working to notify patients in advance if their procedures would be canceled.

A separate Prospect Medical facility in the state, Waterbury Hospital, posted on Facebook that locations providing blood draws, diagnostic radiology, women’s imaging, open MRI and cardiopulmonary rehabilitation would be closed Monday.

“Our computer systems are down due to a cybersecurity attack with the outage affecting all Waterbury Health inpatient and outpatient operations,” the hospital wrote. “We continue to evaluate our downtime capabilities and may reschedule some appointments. Waterbury Hospital is following downtime procedures, including the use of paper records, until this is resolved.”

Crozer Health, a Prospect Medical subsidiary that runs four hospitals in Pennsylvania’s Delaware County, said it was experiencing a “systemwide outage” and working to resolve the issue. CNN reported that stroke and trauma patients initially were being diverted to other hospitals.

Another subsidiary, CharterCare Health Partners in Rhode Island, said both of its hospitals were dealing with outages but were accepting ED walk-ins and continuing with scheduled surgical procedures unless the patient was otherwise notified.

A widespread concern

Healthcare is a frequent target of cybercriminals, although its rank among industries in attack volume depends on which study you read. A recent study conducted by the Ponemon Institute and published by IBM Security found the average cost of an attack on the healthcare industry is nearly $11 million, higher than any other sector. That figure has increased by 53% since 2020.

Last September and October, a ransomware attack on CommonSpirit Health forced the 21-state health system to take more than 100 facilities offline. The organization reported in May that the financial impact of the attack was $160 million in costs stemming from business interruption, expense remediation and other factors. The protected health information of more than 623,000 patients was exposed, and delays in care initially were reported among the impacted locations.

HCA Healthcare, the nation’s largest hospital chain, was targeted over the summer in an attack that exposed the information of 11 million people. The company said clinical and payment information was not accessible by the perpetrators, nor was information such as driver’s license numbers and Social Security numbers. In January, Community Health Systems reported an attack on a contractor that potentially compromised the protected health information of 1.2 million patients.

Patient lawsuits arising from cyberattacks have been filed against various hospitals, health plans and IT vendors in recent years.

Cybersecurity resources

The November cover story of hfm took an in-depth look at the cybersecurity issue and how hospitals should respond.

The U.S. Department of Health and Human Services offers a downtime preparedness checklist for hospitals to use in planning for the aftermath of a cyberattack.