Ransomware attack prompts multistate hospital chain to divert patients elsewhere
NASHVILLE — A ransomware attack has prompted a health care chain that operates 30 hospitals in six states to divert patients from some of its emergency rooms to other hospitals, while putting certain elective procedures on pause, the company announced.
In a statement Monday, Ardent Health Services said the attack occurred Nov. 23 and the company took its network offline, suspending user access to its information technology applications, including the software used to document patient care.
As of midday Tuesday, about half of Ardent’s 25 emergency rooms were still operating on “divert,” meaning the hospitals have asked ambulances to take those needing emergency care to other facilities in their areas, Ardent spokesperson Will Roberts said. Roberts said hospitals nationwide also use divert status sometimes during flu season, COVID surges, natural disasters, or a large trauma event.
The company said it could not yet confirm the extent of any patient health or financial information that has been compromised. Ardent says it reported the issue to law enforcement and retained third-party forensic and threat intelligence advisors, while working with cybersecurity specialists to restore IT functions as quickly as possible. There was no timeline yet to resolve the problems.
Ardent, which is based in the Nashville suburb of Brentwood, owns and operates 30 hospitals and more than 200 care sites with upwards of 1,400 aligned providers in Oklahoma, Texas, New Jersey, New Mexico, Idaho, and Kansas.
Each hospital is still providing medical screenings and stabilizing care to patients arriving at emergency rooms, the company said.
In Amarillo, Texas, William Spell said he and his mother have been sick with flu-like symptoms for days but have been unable to see a doctor because of the cyberattack.
Spell, 34, said he tried Sunday night to make an appointment through an online patient portal but could not access it.
“We are trying to figure out other options as to what to do next because we cannot make an appointment with my primary care doctor,” he said Tuesday.
BSA Health System — the Ardent umbrella provider for Spell’s clinic and other facilities in the city — said in a Facebook post that it was working to restore its patient portal and system for video doctor’s visits. Spell said his doctor’s office could not tell him how long the outage might last and advised him and his mother to visit an urgent care clinic.
“That’s just something we cannot do because urgent-cares charge a lot of money just to walk through the door and be seen by a doctor,” Spell said. “There’s no way we can afford that.”
Several hospitals in Albuquerque, N.M., within Ardent’s Lovelace Health System have continued to divert some patients who need emergency care to other city hospitals, Lovelace spokesperson Whitney Marquez said. They also are rescheduling elective and other non-urgent surgeries.
In Topeka, Kan., a hospital spokesperson confirmed the attack put the University of Kansas Health System-St. Francis on divert status. Meanwhile, the city’s other hospital, Stormont Vail, saw patient volume begin increasing Friday and increased weekend staffing, said Stormont Vail Health spokesperson MollyPatt Eyestone.
There was no immediate claim of responsibility for the attack. Ransomware criminals do not usually admit to an attack unless the victim refuses to pay.
“The attack against Ardent Health is both egregious and quickly becoming the norm,” said Allan Liska, an analyst at the cybersecurity firm Recorded Future.
While some groups won’t attack hospitals, “they are greatly outnumbered by those who will and with the number of ransomware groups growing every day, the percentage who won’t attack hospitals is constantly decreasing,” Liska said. “Health care, in general, is an attractive target for these groups because there is a perception that they are more likely to pay, even though the evidence suggests otherwise.” Even when health care providers don’t pay, ransomware groups can sell patient data, Liska added.
A recent global study by the cybersecurity firm Sophos found nearly two-thirds of health care organizations were hit by ransomware attacks in the year ending in March, double the rate from two years earlier but dipping slightly from 2022. Education was the sector most likely to be hit, with attack saturation at 80 percent.