A leading US health system is not disclosing how many patients’ medical records were effected by what could be the largest medical cyberattack in US history.
CommonSpirit Health, the nation’s fourth largest system with 142 hospitals across 21 states, was the target of a major IT ransomware attack last week.
The firm holds the medical records of up to 20million Americans, all of which may have been affected by the attack – which the firm is calling an ‘IT security issue’.
When approached by DailyMail.com for an update Monday, CommonSpirit Health refused to reveal any information about the scope of the cyber breach.
One patient who had surgery on to remove a cancerous tumor delayed said it felt like being sent back to the ‘stone age’.
The system did not reply to a DailyMail.com inquiry on whether it planned to notify affected patients once the scope of the breach was determined.
Cyberattacks on US health systems has greatly increased in recent years as an era of working from home means many employees are using less secure systems.
The American Association of Medical Colleges reports that there 600 US hospitals attacked in 2020 alone.
The health system operates 142 hospitals across 21 US states. It is unclear how many were affected by the attack, though there has been confirmed issues in Iowa, Washington and Tennessee
CommonSpirit Health has been hit be a ransomware attack that could affect up to 20million patients. The firm did not reveal the number of patients affected when asked by DailyMail.com. Pictured: MercyOne Des Moines Medican Center in Iowa, which was affected by the attack
CommonSpirit told DailyMail.com today it had ‘identified an IT security issue that is impacting some of our facilities’.
A spokesperson added: ‘We have taken certain systems offline. We are continuing to investigate this issue and follow existing protocols for system outages.
Biden warns there is ‘evolving intelligence’ Russia will hit US with cyberattacks
The Biden administration is warning about the danger of Russian cyber attacks on U.S. businesses or infrastructure amid the war in Ukraine – and warning the U.S. will respond.
A White House fact sheet from March highlights the potential for Russia to launch ‘malicious cyber activity’ in response to sanctions the U.S. imposed on Russia since it invaded Ukraine last month – and the administration is revealing it has seen ‘preparatory activity.’
‘I think the President was very clear. We’re not looking for a conflict with Russia. If Russia initiates a cyber attack against the United States, we will respond,’ said Senior White House cybersecurity official Anne Neuberger, who briefed reporters at the White House.
The White House is not saying such an attack has occurred since the new sanctions, a matter that has surprised some Russia observers. But Moscow may be taking steps to prepare for such an event.
‘There is now evolving intelligence that Russia may be exploring options for potential cyberattacks,’ according to the fact sheet.
‘We are grateful to our staff and physicians, who are doing everything possible to minimize the impact to our patients.
‘We take our responsibility to our patients very seriously and apologize for any inconvenience.’
Among those affected are the Virginia Mason Medical Center and St Michael Medical Center in Washington, MercyOne Medical Center in Iowa, the CHI Memorial Hospital in Tennessee are among those confirmed to have been affected.
Among the patients affected are Kathy Kellog, from Washington, who had her operation to remove a cancerous tumor from her tongue delayed by at least five days.
Her husband Mark told KING-TV: ‘Everything we do today is all on a computer, and without it you’re back to the stone age writing on a tablet.’
The hospital they were attending — Virginia Mason Medical Center — is one of several that took systems offline due to the cyberattack.
Healthcare organizations are an appealing target for cyber attackers — particularly those who use ransomware.
Ransomware has remained a persistent threat for the industry, which is among the 16 sectors the US government classifies as critical infrastructure.
Health care systems in 2021 saw an unusually high amount of attacks, with 285 publicly reported worldwide, Dr Liska added.
So far, Dr Liska’s firm has tracked 155 this year with an average of 20 attacks happening a month.
However, he estimated that only about 10 per cent of ransomware attacks are publicized.
Cybersecurity experts said years of work have built health care leaders’ trust in the FBI and other federal agencies focused on cyber crime.
An FBI spokesperson declined to comment on whether they were investigating the CommonSpirit Health cyberattack.
Brett Callow, a threat analyst with cybersecurity provider Emsisoft, said if all the health system’s hospitals were affected the attack could be the ‘most significant on the healthcare sector to date’.
The IT expert has helped curb at least 15 ransomware attacks on hospitals in the US this year.
Four-fifths of these resulted in data being stolen from hospitals, he said.
He warned these often ‘represent a risk to the lives of patients’ due to disruption to ambulance services and operations.
The delays caused, he said, impacts the ‘long-term patient outcomes’ — or chance of recovering from the procedure.
It is unclear who the perpetrator is.
The biggest ever in US history was in September 2020 when a ransomware attack arrested services at all 250 facilities — and 28 hospitals — owned by Universal Health Services.
Earlier this year President Joe Biden warned Russia could escalate its cyberattacks on US businesses because the West sided with Ukraine.