A Thanksgiving Day ransomware attack is impacting hospital systems across six states.
At least eight hospital and health-care systems were affected, reportedly diverting ambulances to other facilities in the days after the cyber attack hit their parent company, Ardent Health Services.
Ardent said in an announcement that it “proactively took its network offline” in response to the ransomware attack. This defensive move meant users lost access to IT applications including “corporate servers, Epic software, Internet and clinical programs.” Some of Ardent’s clinical and financial operations are currently disrupted, as is patient access to MyChart and On-Demand Video Visits.
“Patient care continues to be delivered safely and effectively in its hospitals, emergency rooms, and clinics,” Ardent wrote. “In an abundance of caution, our facilities are rescheduling some non-emergent, elective procedures and diverting some emergency room patients to other area hospitals until systems are back online.”
The company said it does not yet know whether or how extensively patient health and financial data was impacted. It also does not yet know how long it will take to restore access to electronic medical records and clinical systems.
So far, impacted subsidiaries are known to include UT Health East Texas. The hospital network had been diverting ambulances to other facilities since Thanksgiving, but ended this practice as of Monday, per KLTV.
Seven other Ardent subsidiaries had also reported impacts from the ransomware incident.
BSA Health Systems said that it was diverting ambulances following a “potential security incident,” per ABC 7. Over the past few days, similar situations were reported at Idaho’s Portneuf Medical Center, per East Idaho News, and New Mexico’s Lovelace Health System, per KOB 4. The same was true for Oklahoma’s Hillcrest HealthCare System, per Tulsa World; New Jersey’s Pascack Valley Medical Center and Mountainside Medical Center, per ABC 7; and the University of Kansas Health System St. Francis Campus, per WIBW.
The Thanksgiving timing of the attack is unlikely to be coincidental. Hackers are believed to see holiday weekends as an opportunity to strike while network defenders and IT are likely “at limited capacity for an extended time,” the Cybersecurity and Infrastructure Security Agency (CISA) has noted. For example, the attack on MOVEit struck near Memorial Day 2023 and the 2021 attack on Kaseya was timed for the Fourth of July weekend.
Ardent said in its announcement that it is investigating the incident and working with third-party cybersecurity specialists to restore IT operations and capabilities.
State and federal officials have turned attention to health-care cybersecurity recently.
New York’s governor recently proposed regulations that would obligate hospitals to take certain measures to help them withstand and remain operational during cybersecurity incidents, per Cybersecurity Dive. These include assessing their digital risks, hiring a CISO, adopting multifactor authentication and establishing and testing cyber incident response plans.
CISA also published a recent guide that aims to help health-care and public health organizations mitigate the cyber threats they face. This follows on the October release of a cybersecurity toolkit aimed at the same sector.