A cybersecurity incident at a major hospital chain has disrupted care at multiple facilities across the U.S., including in the District and Virginia, by shutting down computer systems and forcing doctors and nurses to depend on paper backup systems for patients.
The cybersecurity incident at Universal Health Services has affected all 250 of its hospitals and other clinical facilities in the U.S., said company spokeswoman Jane Crawford. She said the company doesn’t know who is responsible for the incident, which hasn’t been confirmed as a ransomware attack.
Universal Health has two facilities in the District: the Psychiatric Institute of Washington and George Washington University Hospital.
Staffers at George Washington University Hospital are recording patient data with paper and pen and scrambling to deal with the loss of computers and some phones since Universal Health has blocked access to its computer data, an unidentified clinician told The Associated Press.
The computer shutdown has prevented staff from easily accessing lab results, medication lists, imaging scans and other documents. Issues with phones made it more difficult to communicate with nurses, and lab orders have had to be hand-delivered.
The clinician added there were concerns about how to determine which patients had been exposed to the coronavirus, creating anxiety in delivering a patient to another department, although no harm came to the 20 or so patients the D.C. staff attended to.
According to its website, Universal Health has 13 facilities in Virginia: Cumberland Hospital, Harbor Point Behavioral Health Center, Kempsville Center for Behavioral Health, Liberty Point Behavioral Healthcare, Newport News Behavioral Health Center, North Spring Behavioral Healthcare, Poplar Springs Hospital, The Hughes Center, Virginia Beach Psychiatric Cente,r and First Home Care facilities in Richmond, Roanoke, Portsmouth and Alexandria.
The two D.C. facilities and some of the Virginia centers could not be reached for comment.
People identifying themselves as Universal Health employees who posted to a Reddit forum claimed the company’s facilities were attacked by ransomware overnight Sunday, according to AP. However, Ms. Crawford said Universal Health has not confirmed that it was a ransomware attack. She added the company has no idea who is behind the cybersecurity incident.
The hospital chain said Tuesday that it is “working diligently” to restore its information technology operations “as quickly as possible,” and noted there might be “temporary disruptions” to its clinical and financial operations. Its acute care and behavioral health facilities are using their offline documentation backups.
“At this time, we have no evidence that patient or employee data was accessed, copied or misused,” Universal Health said.
Despite reports of issues from the computer outage, Ms. Crawford told The Washington Times that Universal Health is still able to “deliver patient care as appropriate.”
UHS also has facilities in the United Kingdom, which were not affected by the incident, Ms. Crawford said.
Health care institutions increasingly have faced ransomware attacks on their networks.
Ransomware is a type of malware that prevents users from accessing computer files, systems or networks until a ransom is paid. It typically works by encrypting data on a system with a password only the attackers know, making it unreadable to those who don’t have the password, according to Brad Hayes, chief technology officer for the cybersecurity firm Circadence.
A person can unknowingly download ransomware by opening an email attachment, visiting a website embedded with malware, clicking on an ad or following a link.
“The attackers will often display a ransom note with payment instructions, though there is no guarantee that they will actually provide you with the password to decrypt your data if you do pay,” Mr. Hayes has said.
Ransomware last year hit an estimated 764 health care providers in the U.S., including California-based Wood Ranch Medical, Campbell County Health in Wyoming and DCH Health Systems in Alabama, according to the cybersecurity firm Emsisoft.
“Healthcare organizations are under immense pressure to pay ransom demands as failure to comply could result in disruption that may endanger the lives of patients. The health care sector was the most popular target in 2019,” the cybersecurity firm said in its blog.
The firm estimates that more than $7.5 billion was lost in 2019 to an “unrelenting barrage of ransomware attacks” on government agencies, educational institutions and health care providers.