KING OF PRUSSIA, Pa. – A computer outage at a major hospital chain thrust healthcare facilities across the U.S. into chaos Monday, with treatment impeded as doctors and nurses already burdened by the coronavirus pandemic were forced to rely on paper backup systems.
Universal Health Services Inc., which operates more than 250 hospitals and other clinical facilities in the U.S., blamed the outage on an unspecified IT “security issue” in a statement posted to its website Monday but provided no details about the incident, such as how many facilities were affected and whether patients had to be diverted to other hospitals.
UHS workers reached by The Associated Press at company facilities in Texas and Washington, D.C. described mad scrambles after the outage began overnight Sunday to render care, including longer emergency room waits and anxiety over determining which patients might be infected with the virus that causes COVID-19.
The Fortune 500 company, with 90,000 employees, said “patient care continues to be delivered safely and effectively” and no patient or employee data appeared to have been “accessed, copied or misused.” The King of Prussia, Pennsylvania, company also has hospitals in the United Kingdom, but its operations in that country were not affected, a spokeswoman said Monday night.
John Riggi, senior cybersecurity adviser to the American Hospital Association, called it a “suspected ransomware attack," affirming reporting on the social media site Reddit by people identifying themselves as UHS employees. BleepingComputer, an online cybersecurity news site, spoke to UHS employees who described ransomware with the characteristics of Ryuk, which has been widely linked to Russian cybercriminals and used against large enterprises.
Criminals have been increasingly targeting health care institutions with ransomware during the pandemic, infecting networks with malicious code that scrambles data. To unlock it, they demand payment.
Increasingly, ransomware purveyors download data from networks before encrypting targeted servers, using it for extortion. Earlier this month, the first known fatality related to ransomware occurred in Duesseldorf, Germany, after an attack caused IT systems to fail and a critically ill patient needing urgent admission died after she had to be taken to another city for treatment.
UHS may not be a household name, but has U.S. hospitals from Washington, D.C., to Fremont, California, and Orlando, Florida, to Anchorage, Alaska. Some of its facilities provide care for people coping with psychiatric conditions and substance abuse problems.