A leading US health system doesn’t disclose how many patient medical records have been compromised by what could be the largest medical cyberattack in US history.
CommonSpirit Health, the nation’s fourth-largest system with 142 hospitals in 21 states, was the target of a major IT ransomware attack last week.
The company owns the medical records of up to 20 million Americans, all of whom may have been affected by the attack — which the company calls an “IT security vulnerability.”
When approached by DailyMail.com on Monday for an update, CommonSpirit Health declined to disclose information about the extent of the cyber breach.
One patient who had surgery to remove a cancerous tumor said it felt like being sent back to the “Stone Age.”
The system did not respond to a query from DailyMail.com whether it intended to notify affected patients once the extent of the breach was determined.
The number of cyber-attacks on US health systems has skyrocketed in recent years as an era of working from home means many employees are using less secure systems.
The American Association of Medical Colleges reports that 600 U.S. hospitals were attacked in 2020 alone.
The health system operates 142 hospitals in 21 US states. It’s unclear how many people were affected by the attack, though there are confirmed problems in Iowa, Washington and Tennessee
CommonSpirit Health has been hit by a ransomware attack that could affect up to 20 million patients. At the request of DailyMail.com, the company has not disclosed the number of affected patients. Pictured: MercyOne Des Moines Medican Center in Iowa, which was hit by the attack
CommonSpirit told DailyMail.com today that it “identified an IT security issue affecting some of our facilities’.
A spokesperson adds: ‘We have taken certain systems offline. We will continue to investigate this issue and follow existing system failure protocols.
Biden warns there is ‘evolving intelligence’ that Russia will hit US with cyberattacks
The Biden administration warns of the danger of Russian cyber attacks on US companies or infrastructure during the war in Ukraine – and warns that the US will respond.
A March White House factsheet highlights the potential for Russia to launch “malicious cyberactivity” in response to sanctions the US has imposed on Russia since it invaded Ukraine last month – and the government reveals it has seen “preparatory activity” .
“I think the president was very clear. We are not seeking conflict with Russia. If Russia initiates a cyber attack on the United States, we will respond,” said senior White House cybersecurity official Anne Neuberger, who briefed reporters at the White House.
The White House is not saying such an attack has taken place since the new sanctions, a matter that has taken some Russian observers by surprise. But Moscow may be taking steps to prepare for such an event.
“There is now mounting information that Russia may be exploring options for possible cyberattacks,” the fact sheet said.
“We are grateful to our staff and doctors, who are doing everything they can to minimize the impact on our patients.
“We take our responsibility to our patients very seriously and apologize for any inconvenience caused.”
Among those affected are Virginia Mason Medical Center and St Michael Medical Center in Washington, MercyOne Medical Center in Iowa and CHI Memorial Hospital in Tennessee.
Among the patients affected is Kathy Kellog, of Washington, who had to undergo her surgery to remove a cancerous tumor from her tongue with a delay of at least five days.
Her husband Mark told KING-TV, “Everything we do today is all on a computer, and without it you’re back in the stone age and writing on a tablet.”
The hospital they visited – Virginia Mason Medical Center – is one of many that have had systems taken offline due to the cyberattack.
Healthcare organizations are an attractive target for cyber attackers, especially those using ransomware.
Ransomware is still a persistent threat to the industry, one of the 16 sectors the US government classifies as critical infrastructure.
Healthcare systems saw an unusually high number of attacks in 2021, with 285 publicly reported worldwide, Dr. Lisa to it.
Until now, the company of Dr. Liska followed 155 of them this year, with an average of 20 attacks per month.
However, he estimated that only about 10 percent of ransomware attacks are made public.
Cybersecurity experts said years of work have built health care leaders’ trust in the FBI and other federal agencies dealing with cybercrime.
An FBI spokesperson declined to comment on whether they were investigating the CommonSpirit Health cyber attack.
Brett Callow, a threat analyst at cybersecurity provider Emsisoft, said that if all of the health system’s hospitals were affected, the attack could be the “most significant in the healthcare sector yet.”
The IT expert has helped curb at least 15 ransomware attacks on US hospitals this year.
Four-fifths of these resulted in data stealing from hospitals, he said.
He warned that these often “pose a risk to patients’ lives” because of disruption to ambulance services and operations.
The delays caused, he said, affect “long-term patient outcomes” — or the likelihood of recovery from the procedure.
It is not clear who the perpetrator is.
The largest ever in US history was in September 2020, when a ransomware attack arrested services in all 250 facilities – and 28 hospitals – owned by Universal Health Services.
Earlier this year, President Joe Biden warned that Russia could escalate its cyberattacks on US companies because the West sided with Ukraine.