The medical records of up to 20million Americans may have been leaked in what could turn out to be the biggest medical cyberattack in US history.
CommonSpirit Health — the fourth largest health system in the country — was the target of a major IT ransomware attack this week.
It is not clear how many of the 140 hospitals across 21 states are affected, but the hack has already led to cancer appointments being cancelled and ambulances diverted.
Among those affected are the Virginia Mason Medical Center in Washington and MercyOne Medical Center in Iowa.
One patient was told that she faces a five-day wait for an operation to remove a cancerous tumor because the hospital tech went down. She said it felt like being sent back to the ‘stone age’.
Pictured above is the MercyOne hospital in Iowa, one of the facilities that has been affected in the ransomware attack. Operations are being cancelled for patients
Shown above are the states where CommonSpirit Health operates. It is not clear which units have been affected, but hospitals in Tennessee, Iowa and Washington have all reported issues
Pictured above is the HQ for CommonSpirit Health in Chicago, Illinoise. The system serves more than 20 million patients and has 140 hospitals across 21 states
A CommonSpirit spokesman admitted that electronic health records and other systems had been taken offline.
They added: ‘As a result of this issue [the IT attack], we have rescheduled some patient appointments.
‘Patients will be contacted directly by their provider and/or care facility if their appointment is impacted.’
Biden warns there is ‘evolving intelligence’ Russia will hit US with cyberattacks
The Biden administration is warning about the danger of Russian cyber attacks on U.S. businesses or infrastructure amid the war in Ukraine – and warning the U.S. will respond.
A White House fact sheet from March highlights the potential for Russia to launch ‘malicious cyber activity’ in response to sanctions the U.S. imposed on Russia since it invaded Ukraine last month – and the administration is revealing it has seen ‘preparatory activity.’
‘I think the President was very clear. We’re not looking for a conflict with Russia. If Russia initiates a cyber attack against the United States, we will respond,’ said Senior White House cybersecurity official Anne Neuberger, who briefed reporters at the White House.
The White House is not saying such an attack has occurred since the new sanctions, a matter that has surprised some Russia observers. But Moscow may be taking steps to prepare for such an event.
‘There is now evolving intelligence that Russia may be exploring options for potential cyberattacks,’ according to the fact sheet.
Among the patients affected are Kathy Kellog, from Washington, who had her operation to remove a cancerous tumor from her tongue delayed by at least five days.
Her husband Mark told KING-TV: ‘Everything we do today is all on a computer, and without it you’re back to the stone age writing on a tablet.’
The hospital they were attending — Virginia Mason Medical Center — is one of several that took systems offline due to the cyberattack.
The CHI Memorial Hospital in Tennessee also had to delay operations, and the St Michael Medical Center in Washington delayed critical procedures such as CT scans checking for brain bleeds.
It is unclear who the perpetrator is.
But earlier this year President Joe Biden warned Russia could escalate its cyberattacks on US businesses because the West sided with Ukraine.
Brett Callow, a threat analyst with cybersecurity provider Emsisoft, said if all the health system’s hospitals were affected the attack could be the ‘most significant on the healthcare sector to date’.
The IT expert has helped curb at least 15 ransomware attacks on hospitals in the US this year.
Four-fifths of these resulted in data being stolen from hospitals, he said.
He warned these often ‘represent a risk to the lives of patients’ due to disruption to ambulance services and operations.
The delays caused, he said, impacts the ‘long-term patient outcomes’ — or chance of recovering from the procedure.
Sources in the CommonSpirit health system confirmed the cyberattack was caused by ransomware, NBC News reports.
This is a malicious type of software that blocks access to patient systems, saying it will only re-open them after receiving a payment.
The biggest ever in US history was in September 2020 when a ransomware attack arrested services at all 250 facilities — and 28 hospitals — owned by Universal Health Services.
But the attack on CommonSpirit — which has more than 700 facilities — could be the largest yet, depending on how many centers were affected.
In 2020, the FBI and other federal agencies warned that they had credible information that cybercriminals could unleash a wave of data-scrambling extortion attempts against U.S. hospitals and health care providers.
That’s because ransomware criminals are increasingly stealing data from their targets before encrypting networks, using it for extortion.
They often sow the malware weeks before activating it, waiting for moments when they believe they can extract the highest payments.
Health care is classified by the U.S. government as one of 16 critical infrastructure sectors Health care providers are seen as ripe targets for hackers.
If patient data is accessed, health care providers are required by law to notify the Department of Health and Human Services.