Cyberattack forces Ascension Health to divert ambulances and take records offline

(Ascension Health) — On May 8, Ascension detected unusual activity in our network systems. We have determined this is a cybersecurity incident. We are working around the clock with internal and external advisors to investigate, contain, and restore our systems following a thorough validation and screening process. Our investigation and restoration work will take time to complete, and we do not have a timeline for completion.

Safely caring for patients remains our highest priority as we navigate this cybersecurity incident. We are actively supporting our ministries as they continue to provide safe, patient care with established downtime protocols and procedures, in which our workforce is well trained. It is expected that we will be utilizing downtime procedures for some time. Patients should bring to their appointment notes on their symptoms and a list of current medications and prescription numbers or the prescription bottles so their care team can call in medication needs to pharmacies.

Systems that are currently unavailable include our electronic health records system, MyChart (which enables patients to view their medical records and communicate with their providers), some phone systems, and various systems utilized to order certain tests, procedures and medications. We have implemented established protocols and procedures to address these particular system disruptions in order to continue to provide safe care to patients. Out of an abundance of caution, however, some non-emergent elective procedures, tests and appointments have been temporarily paused while we work to bring systems back online. Our teams are working directly with any patient whose appointment or procedure will need to be rescheduled. We understand the frustration this may cause and sincerely regret any inconvenience to our patients.

Due to downtime procedures, several hospitals are currently on diversion for emergency medical services in order to ensure emergency cases are triaged immediately. If you are experiencing a medical emergency, please contact 911 and your local emergency services will bring you to the nearest hospital emergency room.

We are beyond grateful for the hard work and dedication of our care teams across the system, and their continued commitment to our patients. We also thank our patients and our community for their continued support and patience during this time as we work through a diligent, time-intensive process to restore systems as quickly, and as safely, as possible. To ensure all patients, staff, and stakeholders are kept informed during this event, we will continue to post updated information on our website as it becomes available.

TOPEKA, Kan. (AP) — A cyberattack on the Ascension health system operating in 19 states across the U.S. forced some of its 140 hospitals to divert ambulances, caused patients to postpone medical tests and blocked online access to patient records.

An Ascension spokesperson said it detected “unusual activity” Wednesday on its computer network systems. Officials refused to say whether the non-profit Catholic health system, based in St. Louis, was the victim of a ransomware attack or whether it had paid a ransom, and it did not immediately respond to an email seeking updates.

But the attack had the hallmarks of a ransomware, and Ascension said it had called in Mandiant, the Google cybersecurity unit that is a leading responder to such attacks. Earlier this year, a cyberattack on Change Healthcare disrupted care systems nationwide, and the CEO of its parent, UnitedHealth Group Inc., acknowledged in testimony to Congress that it had paid a ransom of $22 million in bitcoin.

Ascension said that both its electronic records system and the MyChart system that gives patients access to their records and allows them to communicate with their doctors were offline.

“We have determined this is a cybersecurity incident,” the national Ascension spokesperson’s statement said. “Our investigation and restoration work will take time to complete, and we do not have a timeline for completion.”

To prevent the automated spread of ransomware, hospital IT officials typically take electronic medical records and appointment-scheduling systems offline. UnitedHealth CEO Andrew Witty told congressional committees that Change Healthcare immediately disconnected from other systems to prevent the attack from spreading during its incident.

The Ascension spokesperson’s latest statement, issued Thursday, said ambulances had been diverted from “several” hospitals without naming them.

In Wichita, Kansas, local news reports said the local emergency medical services started diverting all ambulance calls from its hospitals there Wednesday, though the health system’s spokesperson there said Friday that the full diversion of ambulances ended Thursday afternoon.

The EMS service for Pensacola, Florida, also diverted patients from the Ascension hospital there to other hospitals, its spokesperson told the Pensacola News Journal. And WTMJ-TV in Milwaukee reported that Ascension patients in the area said they were missing CT scans and mammograms and couldn’t refill prescriptions.

Ascension said its system expected to use “downtime” procedures “for some time” and advised patients to bring notes on their symptoms and a list of prescription numbers or prescription bottles with them to appointments.

At two Wichita hospitals, staffers were forced to use pen and paper and announce medical emergencies over the PA system because their pagers were down, a spokesperson representing the union covering those hospitals’ employees told The Wichita Eagle.

Cybersecurity experts say ransomware attacks have increased substantially in recent years, especially in the health care sector. Increasingly, ransomware gangs steal data before activating data-scrambling malware that paralyzes networks. The threat of making stolen data public is used to extort payments. That data can also be sold online.

“We are working around the clock with internal and external advisors to investigate, contain, and restore our systems,” the Ascension spokesperson’s latest statement said.

In the Change Healthcare cyberattack earlier this year, hackers entered a server that lacked multifactor authentication, a basic form of security. It was not clear Friday whether the same group was responsible for the Ascension attack.

Change Healthcare provides technology used by doctor offices and other care providers to submit and process billions of insurance claims a year. The attack delayed insurance reimbursements and heaped stress on doctor’s offices around the country.

After hackers gained access in February, they unleashed a ransomware attack that encrypted and froze large parts of the company’s system.

Witty said the company’s core systems were now fully functional. But company officials have said it may take several months of analysis to identify and notify those who were affected by the attack.

They also have said they see no signs that doctor charts or full medical histories were released after the attack. Witty said the company, which UnitedHealth acquired in 2022, used data centers for some of its storage, but it would be moving into more secure cloud storage.

Witty told senators UnitedHealth is “consistently” under attack. He said his company repels an attempted intrusion every 70 seconds.

A ransomware attack in November prompted the Ardent Health Services system, operating 30 hospitals in six states, to divert patients from some of its emergency rooms to other hospitals while postponing certain elective procedures. It also suspended user access to information technology applications such as software used to document patient care.