Ransomware, Breach, Supply chain

Illinois hospital forced into EHR downtime after cyberattack

A healthcare worker makes electronic notes on a tablet.

Sarah D. Culbertson Memorial Hospital in Illinois is the latest hospital to be forced into electronic health record downtime procedures after a cyberattack. On its social media page, officials notified patients that a “network disruption” found on March 30 forced its systems offline.

The cyberattack “disabled access to most functions.” The hospital’s response team is continuing to investigate with support from third-party specialists as it works to “understand the full depth of the intrusion.”

After a week of network downtime, officials say they’ve been able to restore a portion of the impacted systems. Full access to its critical service systems is expected to be restored by April 11.

The hospital has already implemented a host of security improvements, alongside its investigation and recovery efforts. Its community notice doesn’t include any patient impacts, like care delays and limited comments on the post, which means there are no responses from patients on possible disruptions.

RansomHouse group threatens to leak data in Barcelona attack

The Culbertson Memorial news followed an update from the Hospital Clinic of Barcelona Medical Director Antoni Castells on the ongoing outages caused by a RansomHouse cyberattack one month ago. As SC Media previously reported, the March 4 hack crippled the hospital’s emergency room, laboratories and clinics.

Pharmacies at three main facilities and other external clinics were also impacted, while nearly 3,000 care appointments and 150 non-urgent surgeries at one of the city’s primary hospitals were delayed.

While the hospital continues its recovery efforts, the cybercriminals are threatening to leak 4GB of data tied to patients with infectious data, according to local media outlets. RansomHouse is working to strong-arm the hospital into paying a $4.5 million ransom, after encrypting the hospital’s virtual data center and its information.

As a result, officials say they’ve been unable to recover patient data or add new health information into the system.

The threat actors have already published some data they claimed to have stolen from the provider, ramping up the extortion attempts by threatening to publish information tied to infectious disease treatments, including the hospital’s use of experimental drugs tied to senior care. RansomHouse is simultaneously threatening the police after law enforcement efforts to block their site.

But no amount of extortion will coerce a ransom demand. According to the Secretary of Telecommunications and Digital Transformation Sergi Marcén: "There is no type of negotiation; the government will not pay a penny."

Officials also shared an update on the hack, hospital outage and recovery efforts. The initial findings suggest the attack was likely prompted after the threat actors targeted hospital and government staff. The investigation found over 600 emails were sent to workforce members.

And while the hospital has maintained operations, at least 300 surgical operations, 11,000 external visits, and nearly 4,000 appointments have been rescheduled during the outages.

Healthcare cyberattacks that lead to network downtime cause an average of $1 million to $2 million in losses for each day of outages. The latest example was seen after the monthlong outage caused by the cyberattack on CommonSpirit Health. Its financial report revealed the security incident had a $150 million price tag due to lost revenue and recovery costs.

Unlike other industries, hospital cyberattacks don’t just cause reputational and financial harm. Network outages cause patient care impacts and an increase in patient morbidity.

Hackers stole data before Tallahassee Memorial HealthCare cyberattack

Tallahassee Memorial HealthCare recently informed 20,376 patients that their health data was stolen, prior to the deployment of a cyberattack on Feb. 3.

As reported by SC Media, the hospital was forced into EHR downtime after an “IT security issue” discovered in February. The system outages forced the provider to reschedule all non-emergency patient appointments and the cancellation of all non-emergency surgical and outpatient procedures.

Initially, the hospital was only able to accept “Level 1" trauma patients in its emergency department.

Its recent breach notice provides further insights into the incident. The subsequent investigation found the threat actors first gained access to the network a week before the cyberattack on Jan. 26 and used the dwell time to exfiltrate “certain files” from its systems.

The stolen data varied by patient but could include names, contact details, Social Security numbers, dates of birth,health insurance information, medical record and patient account numbers, and treatment information.

TMH is continuing to enhance its systems and data security to prevent a recurrence.

Atlantic General Hospital, which reported a similar outage and cyberattack a week before the TMH hack, recently issued a near-identical breach notice to 26,591 of its patients.

Monument latest health app to report third-party data sharing

Alcohol treatment platform Monument issued a breach notice to its users, reporting that the use of pixels on its app led to the disclosure of their personal and health information to tech and social media giants. Monument also owns the health app Tempest and is affiliated with Live Life Now Health Group and Purdy Medical.

Monument used pixels and similar tracking technologies on its sites, which were tied to Meta, Google, Bing, Pinterest, and other third parties. After the Department of Health and Human Services warned healthcare entities of the risks posed by Pixels, Monument launched a review.

On Feb. 6, the investigation found that user data was shared “with those third parties without the appropriate authorization, consent, and agreements required by law” between November 2017 and late 2022, for Tempest users, and January 2020 and late 2022, for Monument users.

The data could include dates of birth, user photographs, contact information, email addresses, unique digital IDs, insurance member IDs, URLs, selected treatment services or plans, health assessment or survey responses, appointment details, and associated health data. Digital footprints may have also been disclosed.

The pixels were full disconnected by February 2023.

Monument joins a growing list of companies and healthcare providers to report pixel-related disclosure of user data to third parties. It's unclear whether Monument leadership will face similar FTC enforcement actions like GoodRx and BetterHelp after egregious third-party data disclosures.

Third-party data sharing via pixels is a massive issue in the healthcare sector. Just last week, data confirmed nearly all hospitals use third-party tracking code that routinely transfers patient data to large tech companies, social media giants, data brokers, and advertising firms.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.