Ransomware Attack Disrupts Health Care in at Least Three States
A ransomware attack this week on a California-based health care system forced some of its locations to close and left others to rely on paper records.
The system, Prospect Medical Holdings, which operates 16 hospitals and more than 165 clinics and outpatient centers in Connecticut, Pennsylvania, Rhode Island and Southern California, announced the cyberattack on Thursday.
A Prospect Medical spokesman could not estimate on Saturday when services would return to normal. It was not immediately clear how many of the system’s sites were affected.
On its website, Eastern Connecticut Health Network, an affiliate of Prospect Medical, listed locations that would be closed until further notice, including a medical imaging center, an urgent care facility and an outpatient blood-draw center, among others.
CharterCARE Health Partners, a Rhode Island affiliate, said on Facebook Thursday that it had to reschedule some of its appointments and to revert to paper records. The Philadelphia Inquirer reported that computers were also down at Crozer Health facilities in Delaware County.
“Prospect Medical Holdings, Inc. recently experienced a data security incident that has disrupted our operations,” the company said in a statement on Saturday. “Upon learning of this, we took our systems offline to protect them and launched an investigation with the help of third-party cybersecurity specialists.”
The company said it was focused on “addressing the pressing needs of our patients as we work diligently to return to normal operations as quickly as possible.”
It did not provide details on the nature of the security breach.
Waterbury Hospital, in Waterbury, Conn., said on Saturday that it was continuing to have disruptions. It also said that some of its outpatient and diagnostic imaging services had not been available on Friday or Saturday. On Thursday, it said it was relying on paper records.
Cyberattacks on hospitals have become more common, said John Riggi, national adviser for cybersecurity and risk at the American Hospital Association.
In 2022, One Brooklyn Health, a hospital group that serves low-income neighborhoods in New York, was hit by a cyberattack that also forced staff members to use paper records. Employees said at the time that it was a learning curve, given that most hospitals have been using electronic records since the 1990s and that some diagnostic test results were coming back slower because of the cyberattack.
CommonSpirit Health, which has more than 140 hospitals and more than 700 care sites nationwide, was the target of a cyberattack last year that led to postponed surgeries, doctor visits and other delays in care, NBC reported. And in 2020, Russian hackers launched a ransomware attack on United Health Services, which has at least 400 facilities, making it the largest attack of its kind at the time.
Cyberattacks are becoming more frequent, in part because the coronavirus pandemic brought many more health care services online, Mr. Riggi said.
“We’re relying more on cloud-based services, remote third parties,” Mr. Riggi said. “So all of these things are done with good intention — ultimately to improve patient care and to save lives. But the unintended consequence of this is that it has expanded dramatically our digital attack surface.”
Hospitals and clinics typically use third parties to write code and develop the technology for these systems, so it’s imperative these third parties deliver secure technology, he said.