Hospital IT services taken offline as Universal Health Services hit by likely cyberattack

Universal Health Services (UHS), a healthcare provider with 400 facilities, had its IT network taken offline by what appears to be a sweeping cyberattack—potentially driven by ransomware—that began over the weekend. UHS previously received a high score from UpGuard, a platform that vets institutional security at enterprises.

The healthcare giant issued a public statement on its website (which is still operating) to assure patients and employees that their personal data doesn’t appear to have been “accessed, copied, or misused,” despite “an IT security issue.” The company said it is working with its security partners to restore operations and is using backup processes, “including offline documentation methods.”

NBC News confirmed that while patients’ charts are on paper, nurses have resorted to hand labeling medication because the systems are down and haven’t been updated since September 26.

UHS added that “patient care continues to be delivered safely and effectively,” which is likely good news for patients and caregivers. According to UHS, it serves 3.5 million people per year. But analog methods tend to slow delivery of reports and medications, which could lead to negative outcomes for patients.

We reached out to UHS for further comment and will update this post with additional details if we hear back.

An SC Media report noted that some ransomware groups had agreed not to target hospitals or healthcare facilities during the pandemic. However, the death of a patient in a German hospital is currently under investigation because it was potentially caused by a ransomware attack. Lani Dornfeld, an attorney in the Healthcare Law Practice at Brach Eichler, points out that this has been a busy month at the DHHS Office for Civil Rights (OCR), the HIPAA enforcement agency. “In September alone, the DHHS, OCR announced three major settlements with health care providers and insurers involving ransomware attacks, “Dornfeld says, “one for $1.5M, one for $2.3M and one for $6.85M, the latter of which affected more than 10.4 million people and is the second-largest OCR settlement to resolve HIPAA violations.”