The Catholic health system disclosed that the attack is affecting patient care, and some appointments are being postponed. Key systems are now offline.
Ascension, one of America’s biggest hospital systems, says it is dealing with a cyberattack, and the incident is affecting patient care.
The Catholic health system based in St. Louis said in a statement Thursday that it is investigating the attack and working with law enforcement. The Ascension cyberattack once again shows that even large health organizations remain vulnerable to breaches.
Some Ascension hospitals are diverting ambulances to other facilities due to the cyberattack, the system said Thursday night.
“Due to downtime procedures, several hospitals are currently on diversion for emergency medical services in order to ensure emergency cases are triaged immediately,” Ascension said in a statement. “If you are experiencing a medical emergency, please contact 911 and your local emergency services will bring you to the nearest hospital emergency room.”
Some surgeries are being postponed. The health system said that “some non-emergent elective procedures, tests and appointments have been temporarily paused while we work to bring systems back online.”
Ascension’s electronic health records system and some phone systems are unavailable, the system said. Ascension’s patient portal, MyChart, which allows patients to view test results or schedule appointments, is also offline, along with systems used to order tests and prescriptions.
The system said it is reaching out to patients whose appointments and procedures are being postponed and is working to reschedule them. Ascension said its care teams are working to continue treating patients, but they acknowledged the disruption to clinical operations.
“We understand the frustration this may cause and sincerely regret any inconvenience to our patients,” the system said.
Ascension operates 140 hospitals and 40 senior centers in 19 states and Washington, D.C.
Ongoing investigation
Ascension said the breach was spotted Wednesday.
“On Wednesday, May 8, we detected unusual activity on select technology network systems, which we now believe is due to a cyber security event. At this time we continue to investigate the situation,” the system said.
Ascension said it is working to determine what information, if any, has been exposed. The system said it will notify individuals if it finds out that private data has been stolen or exposed. Ascension is also reaching out to business partners.
Ascension has tapped Mandiant, a cybersecurity company and a subsidiary of Google, to assist with its investigation.
Ascension boasts $28 billion in revenue and more than 130,000 employees. And it joins the ranks of other large healthcare organizations who have suffered cyberattacks or been affected by breaches involving partners.
Attacks affect millions
Change Healthcare, a subsidiary of UnitedHealth Group that handles business functions for providers nationwide, was hit with a ransomware attack in February. Cybersecurity experts say it’s the most damaging attack to ever hit the U.S. healthcare industry.
Nearly all of the nation’s hospitals have suffered financial damage because Change Healthcare’s processing of claims has been disrupted, and most hospitals say the attack has affected patient care. UnitedHealth says it may be months until it’s clear how many are affected, but the company said it could be a large number of Americans.
HCA Healthcare suffered a cyberattack last year that affected 11 million people. HCA said the information included patient names, addresses, dates of birth and other data. The organization said the information was stolen from a system used to automate the formatting of email messages, HCA said in a statement.
CommonSpirit Health sustained a ransomware attack in the fall of 2022. The Chicago-based system said more than 100 facilities were affected. Patient data was exposed and some appointments had to be postponed or canceled.
Ardent Health Services experienced a cyberattack last November, and the incident disrupted hospitals in several states. Ardent hospitals temporarily diverted ambulances to other facilities for a few days after the attack was discovered.
Cybersecurity attacks can cause heavy financial damage to hospitals. An IBM Security analysis estimates the average cost of a breach is nearly $11 million.
Hospitals need to recognize the risks of cyberattacks and realize that no organization is impenetrable, says Cliff Steinhauer, director of information security and engagement at The National Cybersecurity Alliance. And he noted hospitals need to be sure their vendors are also keeping up to date on cybersecurity.
“Hospitals need to be … evaluating their vendors and their third-party partners for what their security posture is,” Steinhauer told Chief Healthcare Executive® in a recent interview.
Cyberattacks and patient care
Healthcare leaders and cybersecurity experts also say more attention needs to be focused on the impact of cyberattacks on patient care.
Researchers found that the Scripps Health ransomware attack in 2021 affected hospitals throughout the San Diego area, including those that weren’t directly attacked. Surrounding hospitals saw packed emergency departments and an influx of stroke patients, researchers said.
Christian Dameff, co-director of the Center for Healthcare Cybersecurity at University of California San Diego Health, described the “blast radius” of the attack at the HIMSS Global Health Conference & Exhibition in March.
“We saw far more patients than we normally do,” Dameff said. “We were flooded. We were inundated with patients.”
Dameff and other researchers say there’s a critical need for more research on cyberattacks and the ramifications on patient care. They note that patient records are affected in attacks, and hospitals are leery of detailing the full impact due to liability reasons, but they implored researchers to help study these events.
“It's really hard to study this stuff,” Dameff said.
Kaiser Permanente said last month that the organization suffered a breach that could have affected more than 13.4 million people. Kaiser Permanente said the exposure wasn’t tied to a cyberattack, but said online technologies may have sent personal information to other parties, including Google, Microsoft Bing, and X, the social media platform formerly known as Twitter.