St. Margaret’s Health has temporarily suspended operations at its hospital in Peru, Illinois, as its leadership could not “find nor financially support” a new provider for its emergency room department.
A cyberattack on St. Margaret’s Health’s Spring Valley Hospital and impacts of COVID-19 are cited as driving forces behind the decision.
The Spring Valley branch was struck by a cyberattack on Feb 22, 2021, prompting the launch of electronic health record downtime procedures and a complete enterprise network shutdown that lasted for several weeks. All web-based operating systems, such as email and the patient portal, were also brought offline.
Patient care continued without interruption, due to its previously implemented and practiced downtime procedures. However, the hospital was forced to divert its diagnostic imaging procedures to another hospital branch to ensure accuracy of scans. According to the letter sent to employees, these outages contributed to the hospital’s ongoing financial constraints.
The letter cites a number of factors, including the cyberattack that led to the hospital being unable to “bill nor get paid, in a timely manner, for the services provided during the outage. The hospital was also facing staffing shortages that required the use of “temporary agencies to fill positions at a significantly higher pay rate.”
“And, like you, we have been faced with rising costs for goods,” the health system CEO and board chair wrote. “This all came at great financial cost. It’s obvious to the Board and Administration that action is needed now.” Further, “the current provider of physicians terminated their contract effective at that time.”
The hospital has also struggled to “attract enough staff to continue to operate both hospitals.” As a result of these compounding factors, the hospital will no longer have ER physician coverage at its SMH-Peru branch beginning on Jan. 28 as hospitals aren’t legally allowed to operate without a fully staffed emergency room.
The letter notes that hospital leadership will continue its ongoing efforts to convert the Peru branch to a Rural Emergency Hospital (REH) by working with local legislators to “expedite adoption of the REH regulations that were just issued by Centers for Medicare Services (CMS).”
Although temporary, the situation is a worst-case scenario stakeholders have long suspected could occur when constrained budgets meet the staggering recovery costs and lost revenue brought on in the wake of a cyberattack.
St. Margaret’s Health situation is a rare occurrence, with just two reported closures in 2019. Brookside ENT and Hearing Center in Michigan and California-based Wood Ranch Medical permanently closed after hackers encrypted and either damaged or deleted the data. Rather than pay the ransom or costs to rebuild, the providers opted to shutter their practices.
Several estimates based on health systems that provided financial details after an incident detail just how much a cyberattack with related-outages cost provider organizations. For example, the outages at Universal Health Services and Vermont Health lasted about one month, and cost $67 million and $63 million ,respectively.
The July IBM Cost of a Data Breach report found breaches are the costliest in healthcare, at an average of $10 million each. These costs are tied to recovery, lost revenue, and the highly regulated nature of the sector overall.
While St. Margaret Health’s hospital closure appears temporary, it should serve as another warning to provider organizations to practice remediation plans and ensure business continuity plans include processes for maintaining critical services in the event of a cyber-related outage.
