UPDATE
Editor's Note: On Friday morning, May 10, CNN reported that four sources briefed on the Ascension hack investigation said that the Black Basta ransomware group was behind the attack. Also on Friday, the Health Information and Analysis Center posted an advisory that Black Basta had stepped up its attacks on the healthcare sector.
News that numerous hospitals in the Ascension network nationwide had to shut down their computer systems because of a cybersecurity incident sent medical staffs across the country back into doing charts in paper and dramatically altered medical care for the last day.
The Detroit Free Press reported that one Michigan doctor said they have no access to medical records, labs, radiology, or X-rays, and no ability to place orders.
"We have to write everything on paper,” said the doctor. “It's like the 1980s or 1990s. You go to the X-ray room to look at the X-rays on film, you call the lab they tell you what the results are over the phone. So it's just much more cumbersome, but we do have training for these moments."
Another man in Maryland said his partner, a 69-year-old woman with numerous medical issues, was admitted to Ascension Saint Agnes Hospital last night in Baltimore and they too were doing all their charts on paper. To make matters worse, the hospital doctors couldn’t receive the woman’s medical history from her general practitioner (GP), and the hospital docs couldn’t send recent tests done at the hospital to the GP, making it next-to-impossible for the doctors to consult and treat her properly.
Ascension, which operates 142 hospitals and 40 senior care facilities nationwide in 19 states and the District of Columbia, is the largest nonprofit and Catholic health system in the United States, with revenues of $28.3 billion in 2023.
The nonprofit said in a May 9 statement that it detected unusual activity on “select technology network systems” on May 8 that is believed to be caused by an [unspecified] cybersecurity incident.
“At this time we continue to investigate the situation,” said the Ascension statement. “Our care teams are trained for these kinds of disruptions and have initiated procedures to ensure patient care delivery continues to be safe and as minimally impacted as possible. There has been a disruption to clinical operations, and we continue to assess the impact and duration of the disruption.”
Ascension hired Google Mandiant to assist in the investigation and remediation process, and it has notified appropriate authorities. The statement said they were investigating what information may have been impacted and they will notify those affected if any sensitive information was stolen.
“The attack of Ascension on the heels of Change Healthcare shows that malicious actors' threats to go after healthcare are not idle threats," said Toby Gouker, chief security officer at First Health Advisory, and an SC Media columnist. "These threats are aimed at the largest and the smallest of healthcare providers, and even translate to threatening the ER patients trying to get to a bed for their healthcare emergencies.”
Darren Williams, founder and CEO at BlackFog, added that healthcare ranks consistently in the top three verticals when it comes to ransomware. Williams said an abundance of sensitive data, combined with the potential to cause massive disruption, makes the sector an appealing target for cybercriminals.
“The attack on Ascension hospitals, coupled with the recent Change Healthcare attacks, clearly tell us that the healthcare industry is failing when it comes to preventing attacks and securing patient data,” said Williams.
This attack sounds like ransomware, which very quickly moves medical care back to paper charting, said John Bambenek, president of Bambenek Consulting. Bambenek said several regional hospital and medical chains have seen similar incidents happen to them in recent months as several ransomware groups are targeting these types of organizations.
“Some of these organizations become ‘repeat customers’ of ransomware groups, which suggests a degree of complacency has set in and a mentality that there’s little that can be done to prevent it so managing the risk with a combination of insurance, paper charting, and acceptance of the increase in mortality rates for hospitals that enduring these attacks is an increasingly typical approach,” said Bambenek. “As a result, the only entity that can really enforce change are the cyber insurance companies, who can place terms on renewing policies or what needs to be done after a breach.”
This story was updated at 4:45 p.m. Eastern on May 10.