Getty Images

Thanksgiving Day Healthcare Cyberattack Impacts Hospitals Across Multiple States

Ambulances are being diverted from several hospitals owned by Ardent Health Services following a healthcare cyberattack that impacted facilities across multiple states.

Ardent Health Services, which owns 30 hospitals and 200 sites of care across six states, confirmed a healthcare cyberattack that occurred on the morning of November 23. Hospitals in multiple states have been forced to divert ambulances amid disruptions caused by the Thanksgiving day cyberattack, CNN first reported.  

A notice posted on Ardent’s website determined that the incident was in fact a ransomware attack. Upon discovery, Ardent took its network offline and suspended all user access to its information technology applications, including Epic software, corporate servers, and clinical programs.

“In the interim, while this incident results in temporary disruption to certain aspects of Ardent’s clinical and financial operations, patient care continues to be delivered safely and effectively in its hospitals, emergency rooms, and clinics,” Ardent stated.

“In an abundance of caution, our facilities are rescheduling some non-emergent, elective procedures and diverting some emergency room patients to other area hospitals until systems are back online.”

Ambulance diversions have impacted hospitals in New Jersey, New Mexico, and Oklahoma, as well as a network of UT Health East Texas hospitals. Ardent stated that all of its hospitals are continuing to provide a medical screening exam and stabilizing care to any patients arriving at the emergency department.  

Ardent did not provide a timeline for ending emergency department diversions or for restoring full access to systems.

“This is rapidly changing, and the status of each hospital will be updated as the situation improves,” the company stated.

Patients will be contacted directly if their appointments or procedures need to be rescheduled. At this time, it is also too soon to tell if and how the ransomware attack impacted patient health or financial data.

To Ty Greenhalgh, healthcare industry principle at Claroty, the Thanksgiving attacks were a “chilling reminder that hacking hospitals is an epidemic on the rise.”

“The attacks forced some hospitals to go on diversion, meaning they were unable to accept new patients, while emergency rooms were closed to patients in need of critical time-sensitive lifesaving treatment and forced to delay or cancel surgeries and other critical procedures,” said Greenhalgh.

“We have seen the direct impact on certain patient groups, such as stroke patients, who have minimal time to diagnose clotting or bleeding once admitted into the emergency room. Without proper medical devices, how can a caregiver know which to treat or the severity?”

As ransomware continues to impact healthcare at alarming rates, industry leaders and lawmakers have been increasingly calling for tightened healthcare cybersecurity regulations. Earlier in November, New York Governor Kathy Hochul proposed a set of sweeping cybersecurity regulations that would apply to hospitals across the state, along with $500 million in funding to help healthcare facilities upgrade their technology systems to meet the requirements of the proposed rules.

Specifically, the proposed regulations would require hospitals to implement defensive infrastructure to prevent cyberattacks and develop incident response plans, establish a Chief Information Security Officer (CISO) role if not already in place, and to use multi-factor authentication.

“Federal Agencies, Congress and the White House are working hard to stop the hemorrhaging of data and risk to patients' safety, but the attacks continue with relentless, successful and potentially catastrophic results to patient lives. Hospitals are filing for bankruptcy at an alarming rate. They don’t have the resources required to hire new cyber staff and implement an array of new cybersecurity software solutions,” Greenhalgh stated.

“If the Federal Government isn’t stepping forward to provide the resources needed to protect the Healthcare Critical Infrastructure across the US, then independent States will need to start considering new regulations similar to those proposed by New York’s Governor Hochul.”

Next Steps

Dig Deeper on Cybersecurity strategies