Cyberattack disrupts services at hospitals and clinics

Hospitals and clinics continue to deal with the cyberattack that has affected Prospect Medical Holdings.

Organizations say that some services at Prospect’s facilities continue to be affected. The California-based system operates 17 acute-care and behavioral hospitals and a host of clinics in California, Connecticut, New Jersey, Pennsylvania and Rhode Island. Some healthcare services and procedures are being postponed at the system’s facilities.

The New York Times reported that Prospect Medical Holdings issued a statement saying that it “recently experienced a data security incident that has disrupted our operations.”

“Upon learning of this, we took our systems offline to protect them and launched an investigation with the help of third-party cybersecurity specialists,” Prospect said in a statement to the Times.

Prospect told The Washington Post that the attack “has disrupted our operations” and the company is working with the FBI and cybersecurity specialists.

Crozer Health, which operates two hospitals in the Philadelphia area, described the system’s disruptions as a “ransomware attack,” The Philadelphia Inquirer reported.

“We have experienced a ransomware attack that is Prospect-wide, and are currently evaluating the situation,” Crozer spokesperson Lori Bookbinder told The Philadelphia Inquirer.

Eastern Connecticut Health Network, which is owned by Prospect, said on its website Monday, “Prospect Medical Holdings facilities are experiencing IT complications impacting some ECHN locations and services.”

Eastern Connecticut says elective surgeries, GI procedures and outpatient physical therapy are postponed until further notice. In addition, outpatient blood draws and outpatient medical imaging at two facilities have been postponed. Eastern Connecticut’s emergency rooms have remained open, but ambulances were temporarily diverted until Friday morning, CNN reported.

CharterCARE in Rhode Island said its operations have been disrupted due to the “data security incident” affecting Prospect Medical Holdings.

“While our investigation continues, we are focused on addressing the pressing needs of our patients as we work diligently to return to normal operations as quickly as possible,” CharterCARE said on its website.

CharterCare is accepting walk-ins in the emergency departments of its two hospitals, and surgeries are continuing as scheduled, unless patients are notified of changes. CharterCARE said late last week that its computers were down, affecting inpatient and outpatient operations at Our Lady of Fatima Hospital and Roger Williams Medical Center, and the facilities were using paper records.

Tens of millions of Americans have already been affected by health data breaches in 2023. HCA Healthcare said in July that it suffered a data breach affecting as many as 11 million people. HCA said last month the breach appears to be “a theft from an external storage location exclusively used to automate the formatting of email messages.”

• Read more: Here are the 10 biggest data breaches in the first half of 2023

Hospitals have seen more ransomware attacks in recent months, John Riggi, national advisor for cybersecurity and risk for the American Hospital Association, told Chief Healthcare Executive® in a July interview. More than 220 cyberattacks have targeted hospitals and health systems from January through late June, Riggi said.

Hospitals must work with other health systems in their area to develop regional response plans to cyberattacks, Riggi says. Scripps Health suffered a cyberattack in 2021 that disrupted patient services, and the attack also affected other hospitals that had to accommodate stroke patients and other transfers, according to a study published by JAMA Network Open.

“It’s what I call ransomware blast radius,” Riggi said in the July interview. “The original victim is hit, but there is a collateral effect throughout the entire healthcare region.”

Healthcare data breaches continue to be more costly. The average healthcare data breach cost nearly $11 million, according to an IBM Security report released in July. Data breaches in healthcare are more expensive than any other industry, the report found.

Beyond the cost in dollars, cybersecurity experts are drawing more attention to the risks of ransomware attacks to patient care. If procedures are delayed or patients have to be transferred, hospitals face growing risks to patient safety, experts say.

“These are threat-to-life crimes,” Riggi told Chief Healthcare Executive in July. “These are not data crimes. These are not white-collar crimes. And the adversaries have to understand, when we are diverting ambulances with stroke, heart attack and trauma patients, people's lives are at risk.”

Steve Cagle, CEO of Clearwater, a cybersecurity firm, spoke with Chief Healthcare Executive about creating a culture of cybersecurity in this video.