Fraud & Cybercrime Management, Healthcare, Industry Specific
The incident comes as several other regional providers are recovering from recent attacks
Marianne Kolbasuk McGee (HealthInfoSec) •
August 29, 2023
Two allied health care organizations that operate dozens of clinics and 15 hospitals in the Midwest are the latest regional medical providers to grapple with an enterprise-wide IT outage affecting clinical and administrative applications.
See also: OnDemand | Splunk and Panther integration for real-time alerting and custom dashboarding
IT systems and phones have been down system-wide since Sunday at Green Bay, Wis.-based Prevea Health and its sister organization, Springfield of Illinois Hospital Sisters Health System.
So far, Prevea Health and HSHS have not yet publicly stated whether the incident is connected to a cyberattack. However, IT disruption at organizations appears similar to the IT outages that continue to hamper several other regional healthcare providers following recent cyberattacks.
Those other entities include Prospect Medical Holdings, which is based in California but operates 17 regional hospitals and clinics in several states, and Singing River Health System, which has three hospitals and multiple medical facilities serving the Mississippi Gulf region. Coast (see Mississippi's hospital systems are still grappling with the onslaught).
Half of Prevea Health is owned by HSHS and half is owned by the medical group's physicians. HSHS has 15 hospitals in Illinois and Wisconsin, and Prevea partners have six HSHS hospitals throughout Wisconsin. The two entities use the same electronic medical record system for all sites, according I had to.
In a joint statement posted on Monday on the website of Prevea, the organizations he said are experiencing a “temporary” system-wide outage affecting clinical and administrative applications and communication, including the phone system and MyChart and MyPrevea patient portals. On Tuesday, the HSHS website appeared to be completely offline.
“HSHS and Prevea have established outage policies and procedures when we experience technology outages and we follow those protocols and continue to care for our patients with the same level of quality, safe and effective care,” the joint statement said.
“We recognize that this disruption is causing inconvenience to some patients and that services may take longer to be scheduled or received.”
Prevea and HSHS did not immediately respond to Information Security Media Group's request for comment and details about the outage.
Long term effect
Meanwhile, an employee at the Singing River Health System hospital in Mississippi told ISMG on Tuesday that the entity's IT systems were still offline following the cyber incident that occurred over the weekend of August 19. The entity declined ISMG's request for additional details about the cyberattack and the status of the recovery.
In a statement to ISMG on Tuesday, Prospect Medical Holdings said it was still engaged in recovery work after the attack that hit it in early August, but IT systems were coming back online at some of its facilities.
“Prospect Medical's computer systems are now effectively back-up and operating normally in many of our markets and hospitals, and connected providers continue to provide safe, quality patient care following a data security incident that disrupted operations us,” the statement said. .
“Work to import the paper patient records used by our caregivers while our systems were down into our electronic medical record systems continues.”
At least a dozen health care entities and related clinics were forced to shut down electronic health records in the first half of 2023 due to cyber incidents, said Toby Gouker, chief security officer for state-owned health services and risk management firm First Health Advisory. “When systems are forced offline, patient safety, morbidity of care due to delays, and quality of care are compromised.”
However, the need to take IT systems offline to deal with a cybersecurity incident can also have far-reaching implications for healthcare entities in terms of financial impact.
“Data confirms that these outages can cost larger entities an average of $1 million per day in lost revenue and recovery costs,” Gouker told the Information Security Media Group.
Just this month, Massachusetts-based health insurer Point32Health suffered a ransomware attack in April that compromised the personal information of more than 2.5 million people and disrupted IT systems for weeks. mentionted an adjusted net loss of $51.4 million for the six months ended June 30. Much of the damage was linked to the cyber attack.
The company said its adjusted net income included an operating loss of $102.7 million and investment income of $51.3 million, excluding mark-to-market investments.
“Our operating results for the first six months of this year represent headwinds largely related to the cyber incident that are transitory and one-time,” Scott Walker, chief financial officer of Point32Health, said in the report.
Point32Health and the Harvard Pilgrim Health unit directly affected by the cyberattack are also facing several proposed federal class-action lawsuits related to the data breach (see Point32Health, Harvard Pilgrim Facing 4 Data Breach Lawsuits).
