Brian Kirsch knew something was wrong at his local medical clinic when he turned up for a scheduled appointment on Wednesday morning.
“They didn’t have me on file for even having an appointment because they couldn’t print out the new schedule,” Kirsch, an IT instructor at Milwaukee Area Technical College, said in an interview. “The computer systems weren’t working. They couldn’t pull up my medical records.”
The clinic is part of the network of Ascension, one of the country’s largest nonprofit health systems. Kirsch said the clinic’s staff resorted to pen and paper, and he was ultimately able to get in for an appointment.
Unbeknownst to Kirsch at the time, Ascension was part of a hack of the hospital chain’s systems. By the end of the week, the hospital network said it was diverting some ambulances, suspending elective surgeries and rescheduling tests and appointments while it works to bring its systems back online.
The Ascension breach is the latest example of hackers disrupting the US health-care system. Last week, Andrew Witty, chief executive officer of UnitedHealth Group Inc, faced punishing congressional hearings over a February breach at a subsidiary, Change Healthcare, that delayed billions of dollars of payments to doctors and hospitals and saw hackers make off with data on as many as one in three Americans.
The Biden administration intends to require minimum cybersecurity standards for entities that receive money from Medicare and Medicaid, a US official told Bloomberg News on Thursday. The time table for publishing those requirements isn’t yet known.
In a statement on Friday, Ascension said hospitals and clinics couldn’t access electronic health records, nor could patients use a separate portal which allows them to communicate with their providers. Phone systems and technology that orders tests, procedures and medications were also offline, according to the health network.
A spokesperson didn’t immediately respond to a request for comment Friday.
Given the lack of technology, Ascension told patients to “bring to their appointment notes on their symptoms and a list of current medications and prescription numbers or the prescription bottles so their care team can call in medication needs to pharmacies.”
“Sadly, this scenario is all too familiar, necessitating a proactive shift toward prevention,” said Gerasim Hovhannisyan, chief executive officer of Delaware-based software company EasyDMARC Inc.
“Given the health-care sector’s attractiveness to cybercriminals due to its valuable data, the frequency of such attacks is likely to rise,” Hovhannisyan said. “As a result, it’s imperative to elevate cybersecurity as a priority and take concerted action to reverse this troubling trend.”
Social media users posted videos or descriptions of network failures at Ascension hospitals from Austin to Southfield, Michigan. One woman who described herself as a doctor wrote on X that she was checking to make sure her patients at an Ascension hospital were getting their medicines and vitals checked. Nurses at the hospital, she wrote, were writing prescriptions from memory.
Another, describing herself as a family medicine resident physician, said immediately after the breach that providers had no access to patient information and asked for prayers for her labor and delivery patients.
Neither could be immediately located for comment.
Kirsch, the IT instructor in Milwaukee, said that even as “nobody knew what was going on,” people were calm at the clinic.
“I was there to see about my cough. It was nothing critical by any means,” he recalled. “To be honest, in this area, the weather finally got nice, so that uplifted a lot of people. People would be a lot more crabby if we had three feet of snow out there.”
©2024 Bloomberg L.P.