- For-profit chain Universal Health Services, which runs about 400 hospitals in the U.S. and U.K. and serves millions of patients each year, has shut down its IT networks following reports of a massive ransomware attack over the weekend.
- The attack hit early Sunday morning, locking computers and phone systems at UHS facilities in several states, including COVID-19 hotspots California and Florida, according to media reports. UHS said there was no disruption to patient care as employees turned to backup protocols, including paper documentation. However, TechCrunch reported patients are being turned away and emergencies redirected to other facilities, and employees were told it would be several days before the IT systems were operational again.
- It's the latest in a string of healthcare ransomware attacks. In a short statement Tuesday morning, UHS said it had "no evidence" patient or employee data was accessed or misused, but did not respond to a request for more detailed information.
The extent of the attack on UHS is still unclear. But the consequences could be serious, cybersecurity experts say, as it could keep UHS hospitals from accessing or searching patient records or vital information like labs or radiology reports while their IT systems are down. That drastically slows down operations and could have implications on patient care.
"The ransomware operators likely saw UHS as the opportunity to make a quick buck given the urgency to keep operations going, and the monetary loss associated with that downtime could outweigh the ransom demand," Justin Heard, director of security, intelligence and analytics at Nuspire, told Healthcare Dive over email.
A Reddit thread started Monday on the incident flagged IT issues at UHS facilities in Florida, California, Arizona, Texas and North Carolina. Many commenters, not confirmed, claimed they were UHS employees and reported dire situations at their facilities because of the attack.
"It was an epic cluster working 'old school' last night with everything on paper downtime forms. It is true about sending patients away (called EMS diversion) but our lab is functional along with landlines," one user who said they worked at a facility in southeastern U.S. wrote. "We have no access to anything computer based including old labs, ekg's, or radiology studies. We have no access to our PACS radiology system."
TechCrunch, other news organizations and the Reddit thread included reports from anonymous employees describing characteristics resembling attacks of the Ryuk strain, which is run by Russia-backed hacking group Wizard Spider.
Ransom demand from Wizard Spider varies significantly, with observed ransoms ranging from 1.7 bitcoins (about $18,000 at current market value) to 99 bitcoins (about $1.1 million), according to security firm CrowdStrike.