Ransomware, Threat Management, Incident Response, Security Strategy, Plan, Budget, Breach, Risk Assessments/Management

Amid recovery, Kentucky hospital details cyberattack discovered in January

Taylor Regional Hospital in Kentucky gave details about a cyberattack discovered in January that brought down its systems. (“Bankstown Hospital Emergency Room” by red.wolf is marked with CC BY-NC-SA 2.0.)

Amid its continued recovery efforts, Taylor Regional Hospital (TRH) in Kentucky notified patients this week that the cyberattack began with a systems hack, which led to the access of their protected health information.

The notification comes well ahead of the 60-day timeline required by the Health Insurance Portability and Accountability Act. The transparency can empower patients to take quick action to monitor for and prevent potential fraud attempts.

As previously reported, TRH first reported a phone and network outage at the end of January that led to the deployment of electronic health record downtime procedures. The hospital later confirmed that all systems were brought down by a cyberattack.

The hospital has been able to maintain care operations throughout the nearly 10-week outage, with patients rallying support for hospital clinicians on social media. A website notice has been updated with each step of the recovery process, including instructions for patients to bring paper medical histories and to expect long delays at appointments, particularly at the walk-in clinic.

The latest update provides more details into the attack methods and the hospital’s response. On Jan. 20, TRH first identified suspicious activity on its computer systems and took steps to contain the incident. Law enforcement was notified, and the hospital began to investigate with support from a third-party cybersecurity firm.

Although the investigation is ongoing, TRH determined the systems access began back on Nov. 2, 2021, and continued until Jan. 19, 2022. During the hack, the threat actor exfiltrated “certain files” from the network. The investigation also found the attacker possibly accessed information stored on other systems.

A review of the stolen files has concluded the patient-related information included names and one or more data points, such as Social Security numbers, contact information, dates of birth, insurance details, medical record numbers, and or clinical information tied to care received at TRH.

TRH will send notifications to the impacted patients in the coming weeks and is encouraging patients to review statements from their providers or insurers to defend against fraudulent activity. The hospital is currently bolstering the security of its systems and data stores.

Currently, the TRH website shows all phone lines have been restored outside of two oncology departments. The main phone lines were finally restored on March 4, with the majority of the phone lines following in short order. 

However, it also appears there are continued outages at the lab services department. While normal hours have resumed, patients are still being urged to bring written prescription orders and a list of current medications to their appointments. Social media posts show some patients are also continuing to report access issues with the patient portal.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.