Twenty million Americans are at risk of ‘dangerous’ healthcare after a cyberattack at one of the country’s biggest hospital chains last month, security experts have told DailyMail.com.
CommonSpirit Health — a system that runs 140 hospitals, and more than 1,000 care sites including cancer clinics, surgery hubs and stroke centers— suffered a major IT breach on October 3 in a ransomware hack.
The FBI, Department of Justice and CommonSpirit have refused to comment on the scale of the attack, how many sites were affected and whether or not the issue has been resolved — despite multiple requests by DailyMail.com.
It means Americans across 21 states could still be at risk of receiving faulty care, and there are already signs the cyber hack has had real consequences on patients.
A three-year-old boy in Iowa was accidentally given a megadose of opioids on October 4 when the computer system which tells doctors how much medication to give was shut down.
And other patients — including those with brain bleeds, ovarian cysts and cancerous tumors — saw their surgeries delayed by up to a month, despite being referred for ‘urgent’ care. Ambulances were also diverted away from a struggling hospital which was hit by the cyberattack to one not run by CommonSpirit.
Anonymous posts by people online claiming to work at CommonSpirit hospitals around the country described patient care as ‘terrible and unsafe’ since the attack, claiming they are treating patients without full access to their digital medical records.
James McGibney, a former cybersecurity expert for the marines, told DailyMail.com the situation could still be ‘very dangerous’, especially if doctors are indeed are caring for patients without access to their files.
He said: ‘They know they still need to treat the patient, but they’re going based off what the patient is telling them… there’s so many things that could go wrong… next thing you know, something catastrophic happens with the patient.’
In a chilling admission, Ken Westin, a cybersecurity expert, said the IT breach could have ‘significant’ impacts on patients without them even knowing it.
Healthcare provider CommonSpirit, with its HQ in Chicago, has 140 hospitals in 21 states. The company suffered a ransomware attack on October 3 , forcing it to shut down its computer systems. The next day a toddler was mistakenly overdosed on medication in Iowa because a doctor could not access the dispensing IT program. Ambulances had to be diverted away from the struggling hospital. In Washington, patients’ cancer care was delayed for days while the hospital systems were down
Jay Parsi, three, of Urbandale, had his tonsils taken out on September 30, but came back to the hospital a few days later after he continued to not eat or drink much
Jay was eventually admitted into the hospital overnight and was given a steroid, as well as Tylenol mixed with codeine, an opioid, the next morning
He told DailyMail.com: ‘Patients need to be vigilant — there might be follow-on attacks. If patient information was compromised, that information could be sold on the dark web.’
CommonSpirit confirmed the attack was ransomware, which is when a cybercrime group infiltrate a hospital’s computer system and encrypt all of its databases, including patient records, meaning no-one from the healthcare system can access them.
The hackers then usually ask for money in exchange for a decryption key that allows them back into the system. Without access to patient records and other hospital programs, including drug dispensing systems, doctors and nurses are effectively treating patients in the dark.
Australian officials and Biden warn there is ‘evolving intelligence’ Russia is responsible for cyberattacks
Moscow must he held to account for Russian cybercriminals accused of hacking Australia’s largest health insurer and dumping customers’ personal medical records on the dark web, Australian officials said Friday.
Australian Federal Police took the unusual step of attributing blame for the unsolved cybercrime that resulted in the personal data of 9.7 million current and former Medibank customers being stolen.
A group of ‘loosely affiliated cybercriminals’ operating like a business in Russia were likely responsible for the Medibank attack as well as other significant security breaches around the world, Australian Federal Police Commissioner Reece Kershaw said.
‘We believe we know which individuals are responsible, but I will not be naming them,’ Kershaw told reporters.
‘What I will say is that we’ll be holding talks with Russian law enforcement about these individuals.’
Prime Minister Anthony Albanese, who is a Medibank customer who had personal data stolen, said he had authorized police to reveal where the attack had come from.
‘We know where they’re coming from, we know who is responsible, and we say that they should be held to account,’ Albanese said.
‘The nation where these attacks are coming from should also be held accountable for the disgusting attacks, and the release of information including very private and personal information,’ Albanese added.
Meanwhile, the Biden administration is warning about the danger of Russian cyber attacks on US businesses or infrastructure amid the war in Ukraine – and warning the US will respond.
A White House fact sheet from March highlighted the potential for Russia to launch ‘malicious cyber activity’ in response to sanctions the US imposed on Russia since it invaded Ukraine – and the administration is revealing it has seen ‘preparatory activity.’
‘I think the President was very clear. We’re not looking for a conflict with Russia. If Russia initiates a cyber attack against the United States, we will respond,’ said Senior White House cybersecurity official Anne Neuberger, who briefed reporters at the White House.
The White House has not said such an attack has occurred since the new sanctions, a matter that surprised some Russia observers. But Moscow may be taking steps to prepare for such an event.
‘There is now evolving intelligence that Russia may be exploring options for potential cyberattacks,’ according to the fact sheet.
In previous cyberattacks, hospitals have taken over a week to get their files back, but the effects can be felt indefinitely because it is almost impossible to tell if they’ve altered data or if any information was lost in the process.
Mr Westin said it can take months to fully recover data from a backup. On CommonSpirit, he said: ‘It’s been taking them weeks and will probably take them months to fully recover from it.’
There are also concerns for the medical records of 20million Americans who are on CommonSpirit registers.
This week, hackers began leaking 9.7 million medical records, including customers’ names, birth dates, passport numbers and information on medical claims, lifted from major Australian health insurer Medibank after it refused to pay the ransom demand.
CommonSpirit was hacked on October 3, and announced an ‘IT security issue’ the next day.
Computer systems were taken offline on October 5, and came back on October 16. It wasn’t until October 17 that CommonSpirit provided a further update, confirming the attack was ransomware.
The company said in its latest update on November 9 that the ‘majority’ of providers have access to patient’s electronic health records.
It said: ‘As previously shared, our teams continue to work diligently to bring systems online and restore full functionality as quickly and safely as possible, including electronic health records (EHRs).
‘Providers in the majority of markets now have access to the EHR across the CommonSpirit Health system, including at hospitals and clinics.
‘In addition, most patients can again review their medical histories through the patient portal and we are working to restore appointment scheduling capabilities to the portal in cases where that feature exists.
‘In the meantime, patients should contact their provider’s office directly to schedule an appointment.’
CommonSpirit told DailyMail.com it had reported the incidence to ‘law enforcement’. The FBI is the lead federal agency for investigating cyber attacks, especially when it comes to sensitive records or public companies.
But FBI and DOJ declined to comment to DailyMail.com, saying they could not confirm or deny the existence of an investigation.
When this website approached the FBI office in Chicago — where CommonSpirit’s headquarters are located — a spokesperson said standard policy prohibits commenting on whether an investigation is occurring at all.
Because the agencies were unable to provide any information about their possible investigations, the true scale of attack is not known.
Last month, toddler Jay Parsi was accidentally overdosed on pain medication at MercyOne Children’s hospital in Des Moines, Iowa, which is part of the CommonSpirit system.
His parents were told doctors mistakenly administered the megadose after the cyberattack had caused certain systems to be taken offline, causing staff to treat patients without electronic access to records and the programs which tell them the correct drug dosages.
The boy’s mother, Kelley Parsi, told NBC News her three-year-old son was given ‘five times his prescribed dose and two times his body weight’.
After hours of his body processing the steroid and Tylenol mixed with codeine, he made a full recovery.
Another patient at St Joseph Medical Center in Washington, Kathy Kellogg, which is run by CommonSpirit, had the removal of a cancerous tumor on her tongue delayed on October 3 by two days due to the hospital’s computer systems being offline, KING-TV reported.
Also in Washington, one man was denied a planned CT scan at St Michael Medical Center to monitor a life-threatening brain bleed.
His wife told the Kitsap Sun on October 4: ‘My husband is in limbo with a potentially very serious neurological condition… If the brain bleed continues, there can be dire consequences to brain function and to life itself.’
Patient Rachel Cupples, from Western Washington, had to wait weeks due to the cyberattack for an operation doctors said she needed rapidly.
She attended the emergency room in late September with extreme pain and was told she had an ovarian cyst that needed to be removed as soon as possible.
But Ms Cupples’ hospital was no longer taking new surgery appointments due to the cyberattack.
Pictured above is the MercyOne hospital in Iowa, one of the facilities that was affected in the ransomware attack, and where Jay Parsi was overdosed
Shown here is the HQ for CommonSpirit Health in Chicago, Illinois. The system serves more than 20 million patients
Boy, 3, given ‘MEGADOSE’ of opioids while recovering from having his tonsils out ‘due to CommonSpirit hack’
An Iowa boy was given a ‘megadose’ of opioids while recovering from having his tonsils taken out at a Des Moines hospital, which blamed a cyber-attack for the wrong dosage.
Jay Parsi, three, of Urbandale, had his tonsils taken out on September 30, but came back to the hospital a few days later after he continued to not eat or drink much.
On October 3, his surgeon highly recommended the little one come back to the emergency room for fluids.
While waiting for their son to receive fluids, his parents Kelley and Raj learned the hospital had suffered from a cyber-attack and certain systems had been taken offline at MercyOne Children’s Hospital, causing staff to treat patients without electronic access to records and ordering medication.
Jay was eventually admitted into the hospital overnight and was given a steroid, as well as, Tylenol mixed with codeine, an opioid, the next morning.
Later, a resident doctor came into the room to inform Kelley that her son had been given a ‘megadose’ of pain medication for his age and size. The doctor told the family that it was due to the hospital having to manually administer and order dosages due to the computer system being down, the Des Moines Register reported.
But Jay’s mom was skeptical of the excuse.
‘They never did explain how a downed computer system led to this,’ Kelley told the Register. I think they were trying to say it was written down wrong or the pharmacy read it wrong, but then, why wouldn’t anyone check?
‘It was an awful, awful experience…We didn’t know what to do.’
Due to the ‘megadose’ – which was ‘five times his prescribed dose and two times his body weight’ – hospital staff equipped Jay’s room with Narcan, in case his heart rate or oxygen levels decreased.
Jay was monitored for six hours without any reaction to the medication. Kelley suspects he did not take the full dosage as Jay had fought the nurse while they had administered it.
‘I anxiously watched monitors all day but he was up talking and tolerated it well,’ the mother wrote on Instagram.
Jay was back up and running by the weekend.
DailyMail.com has contacted the family for comment.
Despite their son’s safe return home, the family said they are now ‘scared to death’ to go back to the hospital.
She told NBC News: ‘I called and found out that all their systems were down and that they couldn’t schedule or do anything.
‘Nobody really knew at that point, or at least they weren’t sharing, how long it was going to be.’
In late October, CommonSpirit Health’s scheduling systems came back online, and Ms Cupples had successful surgery November 3. Other patients had to wait two hours past their scheduled appointment time on October 24 to be seen.
And the Des Moines Register reported the incident forced the diversion of five ambulances from the MercyOne hospital’s emergency department to Iowa Methodist Medical Center on October 3.
A Reddit user who claimed to be an emergency department nurse in one of the Washington state hospitals said on October 10: ‘We are drowning. Nothing is organized, nurses and docs chart meds and orders in all different areas because none of the paper charting is streamlined, every single drug is a Pyxis override.
‘Since downtime is also down, no looking at a patient’s previous care. If someone comes in altered or intubated, detective work begins.’
They described the situation as ‘terrible and unsafe’ and said the hackers had also ‘attacked the backup’ of patient data.
Pyxis override is the process of removing medication from an automatic dispensing system without a verified order, which led to Jay Parsi’s overdose.
Another user said: ‘I’m a pharmacist at one of the affected hospitals in Washington state. We are drowning. I work nights by myself and I’m developing a stress ulcer thinking about the s**** care we’re providing patients and how dangerous this all is. Patients are going to die at some point.’
Security researcher Mr Westin told DailyMail.com the IT breach has had a ‘significant’ impact on patients.
He said: ‘We’re seeing cases where doctors didn’t have access to some of the information needed for the care. Cases where people have been over prescribed drugs as a result of that, a lot of surgeries have had to be rescheduled.
‘So far, it hasn’t cost human life, but it does cause potential issues if you have potentially life- saving surgery and you have to delay it by two weeks because of the ransomware incident.
‘It’s starting to get pretty serious, because the ransomware groups used to have some ethics around this – they wouldn’t target hospitals or schools. But there’s so much competition now and they’re just becoming much more brazen and greedy.’
Even though CommonSpirit’s IT systems are now back online, Mr Westin said the hospitals are ‘gonna be dealing with it probably for another few months, before all the systems are completely back online, and that’s going to cause an inconvenience to the patients’.
He advised patients to be vigilant, and to call their doctor’s office to verify that emails are from them if they look suspicious.
But cybersecurity expert Mr McGibney, a former Marine who was in charge of cybersecurity for 128 US embassies while in the armed forces, told DailyMail.com once the hacker has access to hospitals’ systems and data, ‘there’s absolutely the chance’ they will have access to all future records.
He said: ‘One statement you’ll never see from a hospital or anywhere else after they get hit with ransomware is, “We 100 per cent guarantee that whoever hacked our systems is no longer anywhere on our network”, because it’s very difficult to know.’
There is also the chance hackers have altered data, he added.
He said: ‘Think about all the records that they have to go through and look at change logs to see when any potential changes were made to a file, and then figuring out who made the change, was it an actual employee or was it the hacker?’
Mr McGibney said that doctors not being able to access patient records is ‘very dangerous’.
He said: ‘They know they still need to treat the patient, but they’re going based off what the patient is telling them from that point moving forward.
‘If they get the dose wrong, there’s so many things that could go wrong… next thing you know, something catastrophic happens with the patient. Then think about all the lawsuits on top of all that.’
On October 21, the FBI, Cybersecurity and Infrastructure Security Agency, and Department of Health and Human Services released a joint alert about cybercrime group Daixin Team.
They warned the group is ‘actively targeting US businesses, predominantly in the healthcare and public health sector, with ransomware and data extortion operations’.
It said the Daixin Team have used ransomware to access electronic health records and diagnostic, imaging and staff intranet services, as well as secretly withdrawing personal identifiable information and patient health information (PHI) and threatening to release the data if a ransom is not paid.
John Riggi, the American Hospital Association’s national advisor for cybersecurity and risk, said: ‘This particularly urgent alert is directly relevant to ongoing ransomware threats currently targeting hospitals and health systems.’
Pseudonymous blogger known as Dissent Doe, a healthcare professional who has been reporting on ransom incidents in the health sector for the past decade, told DailyMail.com: ‘While Daixin Team wouldn’t directly confirm involvement in the CommonSpirit attack or receipt of any ransom, all signs point to ransom having been paid – not the least of which is that if CommonSpirit hadn’t paid, some group would have publicly claimed responsibility and started leaking data to put pressure on them.’
CommonSpirit has not updated their incident report page since October 17, which is shortly before Doe believes the ransom was paid and the systems started to be restored.