KFF Health News
June 16, 2023
By Farah Yousry, Side Effects Public Media
In fall 2021, staffers at Johnson Memorial Health were hoping they could finally catch their breath. They were just coming out of a weeks-long surge of covid-19 hospitalizations and deaths, fueled by the delta variant.
But on Oct. 1 at 3 a.m., a Friday, the hospital CEO’s phone rang with an urgent call.
“My chief of nursing said, ‘Well, it looks like we got hacked,’” said David Dunkle, CEO of the health system based in Franklin, Indiana.
The information technology team at Johnson Memorial discovered a ransomware group had infiltrated the health system’s networks. The hackers left a ransom note on every server, demanding the hospital pay $3 million in bitcoin within a few days.
The note was signed by the “Hive,” a prominent ransomware group that has targeted more than 1,500 hospitals, school districts, and financial firms in over 80 countries, according to the Justice Department.
Johnson Memorial was just one victim in a rising wave of cyberattacks on U.S. hospitals. One study found that cyberattacks on the nation’s health care facilities more than doubled from 2016 to 2021 — from 43 attacks to 91.
In the aftermath of a breach, the focus frequently falls on the risk of confidential patient information being exposed, but these attacks can also leave hospitals hemorrhaging millions of dollars in the months that follow, and also cause disruptions to patient care, potentially putting lives at stake.
After its own attack, the staff at Johnson Memorial suddenly had to revert to low-tech ways of patient care. They relied on pen and paper for medical records and notes, and sent runners between departments to take orders and deliver test results.
A few hours after that 3 a.m. call, Dunkle was on the phone with cybersecurity experts and the FBI.
The burning question on his mind: Should his hospital pay the $3 million ransom to minimize disruptions to its operations and patient care?
Dunkle worried about potential fines levied by the Treasury Department’s Office of Foreign Assets Control against the hospital if it paid a ransom to an unknown entity that turned out to be on a sanctions list.
Dunkle also worried about possible lawsuits, because the hackers claimed they stole sensitive patient information they’d release to the “dark web” if Johnson Memorial did not pay up. Other health data breaches have led to class-action lawsuits from patients.
The Office for Civil Rights, within the Department of Health and Human Services, can also impose financial penalties against hospitals if patient data protected by federal privacy laws is divulged.
“It was information overload,” Dunkle recalled. All the while, he had a hospital full of patients needing care and employees wondering what to do.
In the end, the hospital did not pay the ransom. Leaders decided to disconnect after the attack, assess, and then rebuild, which meant taking several critical systems offline. That upended normal operations in various departments.
The emergency department diverted ambulances with sick patients to other hospitals because the staff couldn’t access patients’ medical records. In the obstetrics unit, newborns usually wear security bracelets around their tiny legs to prevent unauthorized adults from moving the infant or leaving the unit with them. When that tracking system went dark, staff members physically guarded the unit doors.
During one delivery, nurses struggled to communicate with an Afghan refugee who came from the nearby military post to give birth. The remote translation service they typically used was inaccessible because of the cyberattack.
“Stressed-out nurses were using Google Translate to communicate with this woman in labor,” said Stacey Hummel, the maternity department manager. “It was crazy.”
Hummel said it was the hardest challenge she’s ever faced in her 24 years of experience — even worse than the covid-19 pandemic. As the cyberattack unfolded, her nursing team was praying, “Please don’t let the fetal monitors go down.”
And then they did.
Read More at KFF Health News.
