Data Security, Privacy, Breach

Missouri’s CRMC brings network back online, 3 weeks after cyberattack

Much like in August 2020, Missouri has seen a tremendous uptick in COVID-19 cases. All the while, Capital Region Medical Center has operating under EHR downtime procedures after a cyberattack. (Photo by Spencer Platt/Getty Images)

Three weeks after reporting a network and telephone outage across its care network, Capital Region Medical Center has brought much of its network back online. The website, including online bill pay and the patient portal, has been fully restored.

“While some services remain impacted, we have made significant progress on restoring systems,” CRMC officials said in a statement. “There is still more work to be done, and our IT staff is working diligently to bring systems back online safely and securely.”

A week before the holidays, SC Media first reported the ongoing telephone and computer issues at the University of Missouri Health Care affiliate, the cause for which was not immediately confirmed as a cyberattack.

However, CRMS was swift to provide patients and the public with transparent updates on the ongoing network outages. The cyberattack struck on Dec. 17, discovered as unusual activity in its phone system.

All systems were taken offline as a precaution, which meant phone calls to CRMC met a busy signal, and calls that reached the operator could not be transferred. The CRMC website also went down with the attack, as did the patient portal and billing services. 

The previous update showed the website was back online, although clinicians and staff were continuing to operate under previously established electronic health record downtime procedures to “ensure care continuity.”

All patient services continued as normal, despite ongoing high volumes of patient volumes brought on by COVID-19 and the flu season. CRMC also expanded its administrative services support for patient registration and routine follow-ups.

CRMC has been working with a third-party cybersecurity firm on the investigation and recovery, and it appears the provider may also be facing suspected data privacy issues. The investigation into the incident has found evidence that the personal and protected health information of some patients was accessed and/or viewed during the incident. 

The investigation is in its early stages, and the potential data breach has not been confirmed. Officials say they’re reviewing files to determine just what information was accessed. Patients and employees are being urged to review their account statements for unusual activity, while CRMC works to confirm or dispel the data breach.

Although not required by the Health Insurance Portability and Accountability Act, these advanced notices are crucial in the fight against fraud and other identity theft attempts. By notifying patients as soon as a breach is suspected, individuals can move quickly to prevent falling victim and protect their accounts from criminal activity.

As seen with the recent lawsuit against health tech vendor QRS, cybercriminals will often move quickly to utilize stolen data. The breach victim who filed a lawsuit against QRS claims he faced unverified charges to his credit cards and bank accounts and believes his data was “sold on the dark web following the data breach.”

While CRMC has not found evidence of data theft, viewing or accessing PHI and other personal information can have similar effects. The transparency on the potential of data theft can save patient from similar hassles and monetary expenditures.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.