MEMPHIS, Tenn. — A major cyberattack is affecting a healthcare provider with more than 400 locations across the country, four of them in the Memphis area.
Universal Health Services said in a statement Monday that its IT network is down due to an IT security issue.
“We implement extensive IT security protocols and are working diligently with our IT security partners to restore IT operations as quickly as possible. In the meantime, our facilities are using their established back-up processes including offline documentation methods. Patient care continues to be delivered safely and effectively,” the company said in its statement.
The company said no patient or employee data appears to have been accessed, copied or misused.
UHS operates four Memphis-area facilities. It is not known whether any of the local facilities were affected. They are:
UHS provided no details, but people posting to an online Reddit forum who identified themselves as employees said the chain’s network was hit by ransomware overnight Sunday. The posts echoed the alarm of a clinician at a UHS facility in Washington, D.C., who described to The Associated Press a mad scramble, including anxiety over determining which patients might be infected with the virus that causes COVID-19.
John Riggi, senior cybersecurity adviser to the American Hospital Association, called it a “suspected ransomware attack,” adding that criminals have been increasingly targeting the networks of health care institutions during the coronavirus pandemic.
Ransomware is a growing scourge in which hackers infect networks with malicious code that scrambles data and then demand payment to restore services.
Increasingly, ransomware purveyors are downloading data from networks they infiltrate before encrypting targeted servers, using it for extortion. Earlier this month, the first known fatality related to ransomware occurred in Duesseldorf, Germany, after an attack caused IT systems to fail and a critically ill patient needing urgent admission died after she had to be taken to another city for treatment.
UHS itself may not be a household name, but its hospitals are part of communities from Washington, D.C., to Fremont, California, and Orlando, Florida, to Anchorage, Alaska. Some of its facilities provide care for people coping with psychiatric conditions and substance abuse problems.
The company based in King of Prussia, Pennsylvania, did not immediately respond to emails seeking more information, such as whether patients had to be diverted to other hospitals.
In the U.S. alone, 764 healthcare providers were victimized last year by ransomware, according to data compiled by the cybersecurity firm Emsisoft. It estimates the overall cost of ransomware attacks in the U.S. to $9 billion a year in terms of recovery and lost productivity. The only way to effectively recover, for those unwilling to pay ransoms, is through diligent daily system data backups.