For-profit chain Universal Health Services, which runs about 400 hospitals in the U.S. and U.K. and serves millions of patients each year, has shut down its IT networks following reports of a massive ransomware attack over the weekend.
The attack hit early Sunday morning, locking computers and phone systems at UHS facilities in several states, including COVID-19 hotspots California and Florida, according to multiple media reports. UHS said there was no disruption to patient care as employees turned to backup protocols, including paper documentation. However, TechCrunch reported that patients are being turned away and emergencies redirected to other facilities, and employees were told it would be several days before the IT systems were operational again.
It’s the latest in a string of healthcare ransomware attacks. Hospitals may be more motivated than other organizations to quickly pay hackers to get their IT systems up again, and ransomware can be used as a distraction while hackers try to steal patient data to sell on the dark web. In a short Tuesday morning statement, UHS said it had “no evidence” patient or employee data was accessed or misused, but did not respond to a request for more detailed information.
Ransomware is malicious software that spreads insidiously through a computer system, locks access and demands payment for a key to unencrypt the data. It’s a common hacker strategy, but rarely seen in medical facilities — especially at this scale. In fact, in March a number of prolific cybercrime groups pledged to not attack healthcare organizations during the COVID-19 pandemic.
The extent of the attack on Pennsylvania-based UHS is still unclear. But the consequences could be serious, cybersecurity experts say, as it could keep UHS hospitals from accessing or searching patient records or vital information like labs or radiology reports while their IT systems are down. That drastically slows down operations and could have real implications on patient care.
“The ransomware operators likely saw UHS as the opportunity to make a quick buck given the urgency to keep operations going, and the monetary loss associated with that downtime could outweigh the ransom demand,” Justin Heard, director of security, intelligence and analytics at Nuspire, told Healthcare Dive over email.
Cybersecurity attacks normally have devastating financial effects on their victims, but when targeted at providers can also affect people’s lives. Earlier this month, a women died following a ransomware attack in Germany that forced her to be moved to a different hospital 20 miles away.
A Reddit thread started Monday on the incident flagged IT issues at UHS facilities in Florida, California, Arizona, Texas and North Carolina. Many commenters, not confirmed, claimed they were UHS employees and reported dire situations at their facilities because of the attack.
“It was an epic cluster working ‘old school’ last night with everything on paper downtime forms. It is true about sending patients away (called EMS diversion) but our lab is functional along with landlines,” one user who said they worked at a facility in southeastern U.S. wrote. “We have no access to anything computer based including old labs, ekg’s, or radiology studies. We have no access to our PACS radiology system.”
TechCrunch, other news organizations and the Reddit thread included reports from anonymous employees describing characteristics resembling attacks of the Ryuk strain, which is run by Russia-backed hacking group Wizard Spider.
Ransom demand from Wizard Spider varies significantly, with observed ransoms ranging from 1.7 bitcoins (about $18,000 at current market value) to 99 bitcoins (about $1.1 million), according to security firm CrowdStrike.