Twenty million Americans are at risk of ‘dangerous’ hospital care after a cyberattack at one of the biggest hospital chains last month, security experts have told DailyMail.com.
CommonSpirit Health — a system that runs 140 hospitals, and more than 1,000 care sites including cancer clinics, surgery hubs and stroke centers— suffered a major IT breach on October 3 in a suspected ransomware hack.
The FBI, Department of Justice and CommonSpirit have refused to comment on the scale of the attack, how many sites were affected and whether or not the issue has been resolved — despite multiple requests by DailyMail.com.
It means Americans across 21 states could still be completely unaware they are at risk of receiving faulty care, and there are already signs the cyber hack has had real consequences on patients.
A three-year-old boy in Iowa was accidentally given a megadose of opioids on October 4 when the computer system which tells doctors how much medication to give was shut down.
And other patients — including those with brain bleeds, ovarian cysts and cancerous tumors — saw their surgeries delayed by up to a month, despite being referred for ‘urgent’ care.
Ambulances were also diverted away from a struggling hospital which was hit by the cyberattack to one not run by CommonSpirit.
Anonymous posts by people online claiming to work at CommonSpirit hospitals around the country say ‘nothing is organized’ and described patient care as ‘terrible and unsafe’.
James McGibney, former cybersecurity expert for the marines, told DailyMail.com the situation could still be ‘very dangerous’, especially if doctors are caring for patients without access to their medical information.
He said: ‘They know they still need to treat the patient, but they’re going based off what the patient is telling them… there’s so many things that could go wrong… next thing you know, something catastrophic happens with the patient.’
In a chilling admission, Ken Westin, a cybersecurity expert, said the IT breach will have had ‘significant’ impacts on patients without them even knowing it.
Healthcare provider CommonSpirit, with its HQ in Chicago, has 140 hospitals in 21 states. The company suffered a ransomware attack on October 3 , forcing it to shut down its computer systems. The next day a toddler was mistakenly overdosed on medication in Iowa because a doctor could not access the dispensing IT program. Ambulances had to be diverted away from the struggling hospital. In Washington, patients’ cancer care was delayed for days while the hospital systems were down
Jay Parsi, three, of Urbandale, had his tonsils taken out on September 30, but came back to the hospital a few days later after he continued to not eat or drink much
Jay was eventually admitted into the hospital overnight and was given a steroid, as well as Tylenol mixed with codeine, an opioid, the next morning
Later, a resident doctor came into the room to inform Kelley that her son had been given a ‘megadose’ of pain medication for his age and size
He told DailyMail.com: ‘Patients need to be vigilant — there might be follow on attacks. If patient information was compromised, that information could be sold on the dark web.’
CommonSpirit confirmed the attack was ransomware, which is when a cybercrime group infiltrate a hospital’s computer system and encrypt all of its databases, including patient records, meaning no one from the healthcare system can access them.
The hackers then usually ask for money in exchange for a decryption key that allows them back into the system. Without access to patient records and other hospital programs including drug dispensing systems, doctors and nurses are effectively treating patients in the dark.
In previous cyberattacks, hospitals have taken over a week to get their files back, but the effects can be felt indefinitely because it is almost impossible to tell if they’ve altered data or if any information was lost in the process.
Mr Westin said it can take months to fully recover data from a backup.
On CommonSpirit, he said: ‘It’s been taking them weeks and will probably take them months to fully recover from it.’
There are also concerns for the medical records of 2 million Americans who are on CommonSpirit registers.
This week, hackers began leaking 9.7 million medical records, including customers’ names, birth dates, passport numbers and information on medical claims, lifted from major Australian health insurer Medibank after it refused to pay the ransom demand.
CommonSpirit was hacked on October 3, and announced an ‘IT security issue’ the next day.
Computer systems were taken offline on October 5, and came back on October 16. It wasn’t until October 17 that CommonSpirit provided a further update, confirming the attack was ransomware.
The company said in its latest update on November 9 that the ‘majority’ of providers have access to patient’s electronic health records.
It said: ‘As previously shared, our teams continue to work diligently to bring systems online and restore full functionality as quickly and safely as possible, including electronic health records (EHRs).
‘Providers in the majority of markets now have access to the EHR across the CommonSpirit Health system, including at hospitals and clinics.
‘In addition, most patients can again review their medical histories through the patient portal and we are working to restore appointment scheduling capabilities to the portal in cases where that feature exists.
‘In the meantime, patients should contact their provider’s office directly to schedule an appointment.’
CommonSpirit told DailyMail.com it had reported the incidence to ‘law enforcement’. The FBI is the lead federal agency for investigating cyber attacks, especially when it comes to sensitive records or public companies.
But FBI and DOJ declined to comment to DailyMail.com, saying they could not confirm or deny the existence of an investigation.
When this website approached the FBI office in Chicago — where CommonSpirit’s headquarters are located — they also said standard policy prohibits commenting on whether an investigation is occurring at all.
Because the agencies were unable to provide any information about their possible investigations, the true scale of attack is not known.
Last month, toddler Jay Parsi was accidentally overdosed on pain medication at MercyOne Children’s hospital in Des Moines, Iowa, which is part of the CommonSpirit system.
His parents were told doctors mistakenly administered the megadose after the cyberattack had caused certain systems to be taken offline, causing staff to treat patients without electronic access to records and the programs which tell them the correct drug dosages.
The boy’s mother, Kelley Parsi, told NBC News her three-year-old son was given ‘five times his prescribed dose and two times his body weight’.
After hours of his body processing the steroid and Tylenol mixed with codeine, he made a full recovery.
Another patient at St Joseph Medical Center in Washington, Kathy Kellogg, which is run by CommonSpirit, had the removal of a cancerous tumor on her tongue delayed on October 3 by two days due to the hospital’s computer systems being offline, KING-TV reported.
Also in Washington, one man was denied a planned CT scan at St Michael Medical Center to monitor a life-threatening brain bleed.
His wife told the Kitsap Sun on October 4: ‘My husband is in limbo with a potentially very serious neurological condition… If the brain bleed continues, there can be dire consequences to brain function and to life itself.’
Patient Rachel Cupples, from Western Washington, had to wait weeks due to the cyberattack for an operation doctors said she needed rapidly.
She attended the emergency room in late September with extreme pain and was told she had an ovarian cyst that needed to be removed as soon as possible.
But Ms Cupples’ hospital was no longer taking new surgery appointments due to the cyberattack.
She told NBC News: ‘I called and found out that all their systems were down and that they couldn’t schedule or do anything.
‘Nobody really knew at that point, or at least they weren’t sharing, how long it was going to be.’
In late October, CommonSpirit Health’s scheduling systems came back online, and Ms Cupples had successful surgery November 3. Other patients had to wait two hours past their scheduled appointment time on October 24 to be seen.
And the Des Moines Register reported the incident forced the diversion of five ambulances from the MercyOne hospital’s emergency department to Iowa Methodist Medical Center on October 3.
A Reddit user who claimed to be an emergency department nurse in one of the Washington state hospitals said on October 10: ‘We are drowning. Nothing is organized, nurses and docs chart meds and orders in all different areas because none of the paper charting is streamlined, every single drug is a Pyxis override.
‘Since downtime is also down, no looking at a patient’s previous care. If someone comes in altered or intubated, detective work begins.’
They described the situation as ‘terrible and unsafe’ and said the hackers had also ‘attacked the backup’ of patient data.
Pyxis override is the process of removing medication from an automatic dispensing system without a verified order, which led to Jay Parsi’s overdose.
Another user said: ‘I’m a pharmacist at one of the affected hospitals in Washington state. We are drowning. I work nights by myself and I’m developing a stress ulcer thinking about the s**** care we’re providing patients and how dangerous this all is. Patients are going to die at some point.’
Security researcher Mr Westin told DailyMail.com the IT breach has had a ‘significant’ impact on patients.
Pictured above is the MercyOne hospital in Iowa, one of the facilities that was affected in the ransomware attack, and where Jay Parsi was overdosed
Shown here is the HQ for CommonSpirit Health in Chicago, Illinois. The system serves more than 20 million patients
He said: ‘We’re seeing cases where doctors didn’t have access to some of the information needed for the care. Cases where people have been over prescribed drugs as a result of that, a lot of surgeries have had to be rescheduled.
‘So far, it hasn’t cost human life, but it does cause potential issues if you have potentially life- saving surgery and you have to delay it by two weeks because of the ransomware incident.
‘It’s starting to get pretty serious, because the ransomware groups used to have some ethics around this – they wouldn’t target hospitals or schools. But there’s so much competition now and they’re just becoming much more brazen and greedy.’
Even though CommonSpirit’s IT systems are now back online, Mr Westin said the hospitals are ‘gonna be dealing with it probably for another few months, before all the systems are completely back online, and that’s going to cause an inconvenience to the patients’.
He advised patients to be vigilant, and to call their doctor’s office to verify that emails are from them if they look suspicious.
But cybersecurity expert Mr McGibney, a former Marine who was in charge of cybersecurity for 128 US embassies while in the armed forces, told DailyMail.com once the hacker has access to hospitals’ systems and data, ‘there’s absolutely the chance’ they will have access to all future records.
He said: ‘One statement you’ll never see from a hospital or anywhere else after they get hit with ransomware is, “We 100 per cent guarantee that whoever hacked our systems is no longer anywhere on our network”, because it’s very difficult to know.’
There is also the chance hackers have altered data, he added.
He said: ‘Think about all the records that they have to go through and look at change logs to see when any potential changes were made to a file, and then figuring out who made the change, was it an actual employee or was it the hacker?’
Mr McGibney said that doctors not being able to access patient records is ‘very dangerous’.
He said: ‘They know they still need to treat the patient, but they’re going based off what the patient is telling them from that point moving forward.
‘If they get the dose wrong, there’s so many things that could go wrong… next thing you know, something catastrophic happens with the patient. Then think about all the lawsuits on top of all that.’
On October 21, the FBI, Cybersecurity and Infrastructure Security Agency, and Department of Health and Human Services released a joint alert about cybercrime group Daixin Team.
They warned the group is ‘actively targeting US businesses, predominantly in the healthcare and public health sector, with ransomware and data extortion operations’.
It said the Daixin Team have used ransomware to access electronic health records and diagnostic, imaging and staff intranet services, as well as secretly withdrawing personal identifiable information and patient health information (PHI) and threatening to release the data if a ransom is not paid.
John Riggi, the American Hospital Association’s national advisor for cybersecurity and risk, said: ‘This particularly urgent alert is directly relevant to ongoing ransomware threats currently targeting hospitals and health systems.’
Pseudonymous blogger known as Dissent Doe, a healthcare professional who has been reporting on ransom incidents in the health sector for the past decade, told DailyMail.com: ‘While Daixin Team wouldn’t directly confirm involvement in the CommonSpirit attack or receipt of any ransom, all signs point to ransom having been paid – not the least of which is that if CommonSpirit hadn’t paid, some group would have publicly claimed responsibility and started leaking data to put pressure on them.’
CommonSpirit has not updated their incident report page since October 17, which is shortly before Doe believes the ransom was paid and the systems started to be restored.