HSHS, Prevea Health work to recover from cyberattack

Nearly two weeks after being hit with a cyberattack, the HSHS hospital system and Prevea Health are still working to recover.

The Hospital Sisters Health System, more commonly called HSHS, and Prevea, a physician group, say they are striving to restore all services for patients. Prevea partners with HSHS on patient care.

HSHS and Prevea are continuing to care for patients. Hospitals and emergency rooms are receiving patients, but some procedures and appointments have been postponed, the systems said.

“We are working nonstop to restore our systems and that we are making steady progress,” Christine Woolsey, senior vice president and chief communications officer for HSHS, said via email to Chief Healthcare Executive®. “We are prioritizing clinical systems first, such as our EMR (electronic medical record), because patient care and safety is our top priority.”

• Read more: Here are the 10 biggest data breaches in the first half of 2023

HSHS and Prevea first discovered outages to clinical and communications systems on Sunday, Aug. 27.

In a video message posted Sept. 1, HSHS CEO Damond Boatwright said, “We began experiencing a systemwide technical outage that impacted our hospital and clinical operations and most of our communication systems.”

In that message, Boatwright confirmed, “This was the result of a cybersecurity incident.”

Patients are able to schedule elective procedures, the systems say. But some appointments were postponed due to the cyberattack.

Phone and email service was down temporarily, but HSHS has restored those services, along with internal communications. Due to the heavy call volume, patients are experiencing long waits or dropped calls when they try to reach clinics and hospitals.

Due to the cyberattack, patients don’t have access to their online portal (MyChart) to schedule appointments, review lab results or other services they typically utilize.

HSHS is working with law enforcement and third parties to restore services and determine what happened. HSHS says it’s not clear if patient data has been compromised and said it’ll likely take time to determine the scope of the breach.

Patients will be notified if the intruders obtained private information, HSHS said.

HSHS says the organization has already taken steps to improve the security of its systems and says it hasn’t found any additional interference in its IT environment.

Some patients have raised concerns about potentially fraudulent bills, and HSHS says it has heard reports that patients have received calls, emails and texts from individuals claiming to be with HSHS and seeking patients.

HSHS and Prevea say they are not collecting payments from patients for outstanding bills at this time, and the system says it doesn’t charge late payment fees.

HSHS says some of its partners are sending out bills. Patients are being urged to review any bills to see if they reflect services that have been provided.

Prevea says its billing services are currently suspended.

HSHS operates 15 hospitals in Illinois and Wisconsin, along with other sites of care. Prevea is a multispecialty physician group that is based in Green Bay and works with six HSHS hospitals across Wisconsin.

Ashok Rai, president and CEO of Prevea Health, said in a video message that clinicians have worked to continue care even without access to electronic medical records and other technology tools they’ve come to rely upon.

“I’m extremely proud of how Prevea physicians and staff, along with our hospital partners, have responded to this,” Rai said.

HSHS and Prevea leaders say they recognize the gravity of the disruptions to patients and families and are working to restore services as quickly as their problems. Both HSHS and Prevea have set up websites offering updates on restoration efforts.

Leaders of the organizations have pledged to be as transparent as possible, although they acknowledged they can’t share some information to protect patients and their systems.

More hospitals have been experiencing cyberattacks and ransomware attacks in recent months. From January through late June, more than 220 cyberattacks have targeted hospitals and health systems, according to John Riggi, national advisor for cybersecurity and risk for the American Hospital Association.

More people are being affected by cyberattacks aimed at health systems and patient records, according to Critical Insight, a cybersecurity firm. In the six months of 2023, 40 million Americans were affected by health data breaches. By comparison, a record 58 million people were impacted by breaches in all of 2021.

The Joint Commission recently released a set of guidelines for hospitals to protect patients during a cyberattack. The commission suggests hospitals should have response plans to provide services to patients even if critical technology systems are down for four weeks or longer.

In addition to posing threats to patient care by delaying services, cyberattacks also carry substantial financial costs. The average healthcare data breach costs nearly $11 million, according to an analysis by IBM Security.

“We're seeing a very big increase for healthcare organizations, probably because they're really in the crosshairs of attackers,” Limor Kessem, a senior cybersecurity consultant for IBM Security, told Chief Healthcare Executive in July.