The medical records of up to 20 million Americans may have been leaked in what could turn out to be the largest medical cyberattack in US history.
CommonSpirit Health — the country’s fourth-largest health system — was the target of a major IT ransomware attack this week.
It’s not clear how many of the 140 hospitals in 21 states have been affected, but the hack has already resulted in cancer appointments being canceled and ambulances being diverted.
Among those affected are Virginia Mason Medical Center in Washington and MercyOne Medical Center in Iowa.
A patient was told to wait five days for surgery to remove a cancerous tumor because hospital technology failed. She said it felt like she was being sent back to the ‘Stone Age’.
Pictured above is the MercyOne hospital in Iowa, one of the facilities affected by the ransomware attack. Operations are canceled for patients
Listed above are the states in which CommonSpirit Health is active. It’s not clear which units were affected, but hospitals in Tennessee, Iowa and Washington have all reported problems
Pictured above is the headquarters for CommonSpirit Health in Chicago, Illinoise. The system serves more than 20 million patients and has 140 hospitals in 21 states
A CommonSpirit spokesperson admitted that electronic health records and other systems had been taken offline.
They added: ‘Due to this problem [the IT attack]We have moved a number of appointments with patients.
“Patients are contacted directly by their healthcare provider and/or healthcare facility if their appointment is affected.”
Biden warns there is ‘evolving intelligence’ that Russia will hit US with cyberattacks
The Biden administration warns of the danger of Russian cyber attacks on US companies or infrastructure during the war in Ukraine – and warns that the US will respond.
A March White House factsheet highlights the potential for Russia to launch “malicious cyberactivity” in response to sanctions the US has imposed on Russia since it invaded Ukraine last month – and the government reveals it has seen “preparatory activity” .
“I think the president was very clear. We are not seeking conflict with Russia. If Russia initiates a cyber attack on the United States, we will respond,” said senior White House cybersecurity official Anne Neuberger, who briefed reporters at the White House.
The White House is not saying such an attack has taken place since the new sanctions, a matter that has taken some Russian observers by surprise. But Moscow may be taking steps to prepare for such an event.
“There is now mounting information that Russia may be exploring options for possible cyberattacks,” the fact sheet said.
Among the patients affected is Kathy Kellog, of Washington, who had to undergo her surgery to remove a cancerous tumor from her tongue with a delay of at least five days.
Her husband Mark told KING-TV, “Everything we do today is all on a computer, and without it you’re back in the stone age and writing on a tablet.”
The hospital they visited – Virginia Mason Medical Center – is one of many that have had systems taken offline due to the cyberattack.
CHI Memorial Hospital in Tennessee also had to postpone surgeries and St Michael Medical Center in Washington delayed critical procedures such as CT scans to check for brain hemorrhages.
It is not clear who the perpetrator is.
But earlier this year, President Joe Biden warned that Russia could escalate its cyberattacks on US companies because the West sided with Ukraine.
Brett Callow, a threat analyst at cybersecurity provider Emsisoft, said that if all of the health system’s hospitals were affected, the attack could be the “most significant in the healthcare sector yet.”
The IT expert has helped curb at least 15 ransomware attacks on US hospitals this year.
Four-fifths of these resulted in data stealing from hospitals, he said.
He warned that these often “pose a risk to patients’ lives” because of disruption to ambulance services and operations.
The delays caused, he said, affect “long-term patient outcomes” — or the likelihood of recovery from the procedure.
Sources in the CommonSpirit health system confirmed that the cyberattack was caused by ransomware, NBC News reports.
This is a malicious type of software that blocks access to patient systems and says it will not reopen until payment is received.
The largest ever in US history was in September 2020, when a ransomware attack arrested services in all 250 facilities – and 28 hospitals – owned by Universal Health Services.
But the attack on CommonSpirit — which has more than 700 facilities — could be the largest yet, depending on how many centers were hit.
In 2020, the FBI and other federal agencies warned that they had credible information that cybercriminals could unleash a wave of data-encrypting extortion attempts against U.S. hospitals and health care providers.
That’s because ransomware criminals are increasingly stealing data from their targets before encrypting and using networks for extortion.
They often seed the malware weeks before being activated, waiting for moments when they think they can get the highest payouts.
Healthcare has been classified by the US government as one of the 16 critical infrastructure sectors Healthcare providers are seen as ripe targets for hackers.
If access to patient data is obtained, healthcare providers are required by law to notify the Department of Health and Human Services.