Hack targeting hospital chain Ascension affecting patient care

(Adobe Stock)

Ascension, one of the largest Catholic health systems in the United States, with 140 hospitals, was struck by a cyberattack that affected computer systems across the country and affected patient care, the system said in a statement Thursday.

The not-for-profit chain said it detected the hack Wednesday and took immediate steps. News reports from Indiana, Florida, Kansas and elsewhere said ambulances were told to take emergency patients to alternative hospitals.

The 840-bed Ascension St. Vincent Hospital in Indianapolis is among the facilities feeling the effects of the attack. A spokeswoman said the hospital “detected unusual activity on select technology network systems” on Wednesday and activated remediation efforts after an investigation. Access to some systems was interrupted by the process.

“Our care teams are trained for these kinds of disruptions and have initiated procedures to ensure patient care delivery continues to be safe and as minimally impacted as possible,” the hospital’s statement said. “There has been a disruption to clinical operations, and we continue to assess the impact and duration of the disruption.

“We have engaged Mandiant, a third party expert, to assist in the investigation and remediation process, and we have notified the appropriate authorities. Together, we are working to fully investigate what information, if any, may have been affected by the situation. Should we determine that any sensitive information was affected, we will notify and support those individuals in accordance with all relevant regulatory and legal guidelines.”

Nationally, patient record systems and medication prescribing systems were among systems affected across the overall system, requiring doctors and staff to use paper records, according to reports.

“There has been a disruption to clinical operations, and we continue to assess the impact and duration of the disruption,” the system said in a statement Thursday morning. It did not offer details about the nature or extent of the impact on patients. It said access to some systems had been disrupted “as this process continues.”

It said it was investigating which records were compromised. “Should we determine that any sensitive information was affected, we will notify and support those individuals in accordance with all relevant regulatory and legal guidelines,” it said.

The hack comes as government and health-care officials focus renewed attention to cybersecurity in the wake the hacking of Change Healthcare, a subsidiary of UnitedHealth Group that is responsible for processing a vast amount of medical claims nationwide.

The cyberattack and ensuing outage disrupted operations across the country’s pharmacies, hospitals and medical practices, preventing them from getting paid and leaving consumers unable to use coupons they rely on to afford prescription drugs.

Health-care providers largely have been able to blunt direct impacts to patient care over the course of the Change Healthcare hack, even as they’ve taken out loans and resorted to filing medical claims on paper.

United Health Group’s chief executive, Andrew Witty, disclosed last month in a Senate hearing that it paid $22 million in bitcoin to hackers who targeted subsidiary Change Health and shut down medical billing systems across the country.

The vulnerability and United Health’s response came under intense criticism from lawmakers. In that hack, the criminals accessed computers using compromised credentials, entering through a system that did not require multifactor authentication.

Ascension said it had turned to a third-party contractor, Mandiant, to help it investigate and work on restoring service. It said it has notified other businesses that interact with its computers so they can take steps to protect their own systems, which often means disconnecting.

“Our care teams are trained for these kinds of disruptions and have initiated procedures to ensure patient care delivery continues to be safe and as minimally impacted as possible,” Ascension said.

Hackers in recent years increasingly have targeted U.S. medical systems with ransomware, which involves infiltrating an organization’s network and using malicious code to lock up its data. The FBI’s internet Crime Complaint Center received reports of 249 ransomware attacks on health-care infrastructure last year, the most of any sector it tracked, according to an annual summary released in March.