Ascension, a health care system with 140 hospitals in 19 states and Washington, D.C., and tens of thousands of employees and affiliated providers, experienced a “cyber security event” that resulted in a disruption to clinical operations. This incident has had significant impacts on medical services in various states, such as Kansas, Florida, and Michigan. Patients have been diverted to other hospitals, and there is a lack of access to digital records.
In Michigan, a physician informed the Detroit Free Press that they have resorted to writing everything on paper due to the cyberattack, likening the situation to the 1980s or 1990s. This disruption in medical services comes at a time when lawmakers and federal regulators are still dealing with the aftermath of the February attack on Change Healthcare, which has potentially exposed private data of many Americans.
Change Healthcare admitted to paying $22 million to the ALPHV ransomware group after the attack. This group later shut down its site, leading a disgruntled affiliate who claimed to have been involved in the attack to take 4 terabytes of data to another extortion site. The incident with Change Healthcare has reignited calls for minimum cybersecurity standards for the hospital industry, which industry groups have strongly opposed.
Health care remains a prime target for ransomware operators as disruptions to medical services and care are difficult to endure, potentially leading operators to consider paying extortions. According to the cybersecurity firm Emsisoft, the healthcare sector is one of the most frequently targeted sectors by ransomware operators.