Ransomware attacks continue to impact the daily operations of large and small hospitals nationwide. Journalists can find interesting story ideas by following the news or find local story angles by talking to hospitals affected by attacks or inquiring about measures medical centers are taking to prevent attacks.
The annual number of ransomware attacks on health care delivery organizations more than doubled from 2016 (43 attacks) to 2021 (91 attacks), exposing the personal health information of nearly 42 million patients, according to a recent study in JAMA Health Forum. Nearly half of the ransomware attacks on health care organizations disrupted care delivery, with common disruptions including electronic system downtime, cancellations of scheduled care, and ambulance diversion — a strategy to relieve overcrowding in the emergency department when incoming ambulances are directed to other centers. Nearly 20% of the time, attackers made protected health data public, typically via the dark web, and 16% of attacks disrupted hospital operations for a week or more.
Some 289 hospitals were impacted in 2022, according to an article in Becker’s Health IT. The largest ransomware attack on a hospital in 2022 was against Chicago-based CommonSpirit Health last October which compromised the data of 623,000 patients. CommonSpirit reported the $150 million financial impact of the attack this February in its annual earnings statement, noting lost revenues due to business disruption and extra costs to fix the IT issues.
Attacks have continued into 2023. On Jan. 31, the Russian hacking group Killnet claimed responsibility for a cyberattack that disrupted at least 20 hospital and health system websites across the U.S., according to this article in Becker’s Health IT. Systems impacted included Michigan Medicine in Ann Arbor, Stanford Health Care in California, Cedars-Sinai Medical Center in Los Angeles, UPMC Presbyterian Shadyside in Pittsburgh, and Thomas Jefferson University Hospitals in Philadelphia.
Tallahassee Memorial HealthCare in Florida also had a trying time following an IT security incident that started on Feb. 2. The health system was forced to operate on downtime procedures for nearly two weeks, diverting some emergency medical services patients and using paper documentation, while also canceling some non-emergency surgical and outpatient procedures, according to several stories by Becker’s Health IT. Some remote employees who were unable to log into the system for two dates in early February were told they could take paid time off or accept unpaid leave for those days or could show up to the hospital to be assigned a task, one of the stories said. Finally, on Feb. 15, the hospital announced it had fully restored its systems and returned to normal operations.
Two-thirds of health care cybersecurity decision makers said senior leadership teams continue to underestimate cyber threats to their organization, according to a survey from Google subsidiary Mandiant. This is despite the fact that 40% of health care cybersecurity professionals said their organizations experienced a significant cyberattack within the last 12 months.
Lasting woes for hospitals
Hospitals may have lingering headaches and costs beyond recovering from the attack. In late December 2022, San Diego-based Scripps Health agreed to pay $3.57 million to settle a lawsuit from victims of a May 2021 ransomware attack that led to a massive data breach that affected 1.2 million patients, Becker’s Health IT reported. Through the settlement, Scripps agreed to pay a minimum of $100 for each patient, and up to $7,500 to each plaintiff who had their identities stolen or who qualified for “extraordinary out-of-pocket expenses.”
St. Margaret’s Health in Spring Valley, Ill., announced that a cyberattack was partly to blame for their decision to temporarily close one of its hospitals in Peru, Ill., as of Jan. 28, 25 News Now reported. The incident “meant we could not bill nor get paid, in a timely manner, for the services we’d provided,” according to a letter sent to employees.
John Gaede, director of information systems at Sky Lakes Medical Center in Oregon, which had a cyberattack in October 2020 and went offline, wrote a blog post for Healthcare IT Today about the experience. Most network failures last 24 to 48 hours, he said, and many contingency plans only cover up to that point. The attack “quickly demonstrated how short-sighted our plan was and how easily it would crumble if the outage lasted longer than two days.”
Resources for journalists
AHCJ has prepared a few web posts on ransomware as well as a tip sheet on covering health system ransomware attacks, available to members online. Search “ransomware” on healthjournalism.org for posts and links.
- John Riggi, a senior advisor for cybersecurity and risk at the American Hospital Association, can be reached through Colin Milligan at the AHA public affairs office: firstname.lastname@example.org. He was a panelist at Health Journalism 2022 for a session on hospital ransomware attacks.
- Teresa Tonthat, vice president of IT and chief information security officer at Texas Children’s Hospital in Houston, can be reached through Wendi Hawthorne in the hospital public affairs office: email@example.com. She was a panelist at Health Journalism 2022 for a session on hospital ransomware attacks.
- The Cybersecurity and Infrastructure Security Agency (CISA), the country’s cyber defense agency, has experts available. Contact Victoria Dillon (Victoria.firstname.lastname@example.org) or Scott McConnell (email@example.com) in the media relations office.