5 Providers Still in Downtime, as Sky Lakes Confirms Ryuk Ransomware

By Jessica Davis

November 03, 2020 - Nearly a week after a reported security incident, Sky Lakes Medical Center in Oregon confirmed Ryuk ransomware actors were behind the cyberattack. In total, five major healthcare providers across the US are continuing to operate under EHR downtime after falling victim to similar attacks.

Late Wednesday, the FBI reported it was investigating a coordinated wave of cyberattacks aimed at the US healthcare sector, while a federal agency alert warned providers must take action against this imminent and pervasive threat.

At the time, Sky Lakes, the University of Vermont Health Network, and St. Lawrence Health System in New York reported similar incidents and EHR outages. Those attacks mirrored earlier ransomware attacks on Sonoma Valley Hospital, Dickinson County Healthcare System, and Universal Health Services, which was reportedly one of the first healthcare victims of the most recent wave of attacks.

UHS is the only provider that has successfully recovered after its cyberattack, which lasted for more than three weeks. All other providers continue to operate under downtime procedures, and for some, several weeks after the initial attack.

Sky Lakes Update

The attack on Sky Lakes was launched early on October 27. Four days later, officials confirmed Ryuk actors were behind the attack. The provider is continuing to work with a third-party cybersecurity team to investigate the ransomware attack, which centered on its core computer systems.

Despite paper forms temporarily replacing computers for many tasks, the health system’s clinics and pharmacies are continuing to provide patient services and care, including emergency and urgent care departments.

Dickinson County

Dickinson County Healthcare in Michigan is continuing its recovery efforts, after falling victim to a ransomware attack more than two weeks ago on October 17.

The latest update shows the provider is working with third-party cybersecurity and IT experts to remediate the disruption and securely restore its systems using available backup files. DCHS launched established contingency procedures immediately following the attack, allowing clinicians to maintain patient care services.

“Nearly all patient care services, including the hospitals 24/7 emergency department are currently open and operational,” officials said in a statement. “While some of our IT systems are down, clinical staff has temporarily shifted operations into manual procedures and are using paper copies in place of digital records to support ongoing services and provide safe care to our patients.”

“We are, on a one-by-one basis, in the process of inspecting, cleaning, restoring, and testing our systems before bringing them back online for use,” they added.

Law enforcement has been notified, as DCHS continues to investigate the scope of the incident amid its recovery efforts.

Sonoma Valley Hospital Update

For Sonoma Valley Hospital, the initial reports said EHR downtime procedures were launched due to a security incident. The latest update provided on October 30 confirmed the incident was caused by a ransomware attack. Officials did not name the variant used in the attack.

Directly following the detection of ransomware, the hospital took its systems offline to stop the proliferation of the attack. Working with a third-party IT and forensics team, Sonoma Valley’s IT team was able to successfully prevent the attacks from blocking system access and “ultimately expelled them from our system.”

Unfortunately, before access was blocked, the hackers may have removed a subset of data from the hospital network.

“Based on the reports of the investigation, it is possible that some patient medical information was compromised,” officials said in a statement. “We do not believe that patient financial information such as financial account information or payment information was affected.”

“Sonoma Valley Hospital’s electronic health record system was not affected by this incident,” they added. “The forensic investigation is ongoing to identify individual patients potentially affected and specific data involved. We will notify affected patients, as appropriate, when we have more detailed information available to us.”

Sonoma Valley is leveraging its business continuity plan to maintain patient care, including emergency care services, necessary surgeries, elective procedures, and the majority of diagnostics tests. The patient portal has remained available throughout the incident and recovery efforts, but officials said new results have not been posted to the portal since October 11.

The hospital did not pay the ransom demand and has been working with law enforcement to investigate the scope of the incident.

UVM Update

Meanwhile, UVM has also confirmed its massive IT outage was caused by a cyberattack launched during the week of October 25. The medical center in Burlington was the hardest hit by the attack, with continued impact on some care services and patient procedures.

As of November 2, patient care continues to be provided across all UVM sites and its urgent and emergency departments. The hospital’s patient portal is down for several UVM sites, and electronic communications between the medical center and some sites have been disrupted by the cyberattack.

The radiology department is also reporting appointment delays and is only open on a limited basis.

“Expect delays as we work through our interim process,” officials said in a statement. “If you were scheduled for any other breast imaging exam, please do not come in at this time, unless you were contacted directly. We are working hard on a solution so we can get all scheduled breast imaging patients in.”

Further, there was minimal impact on UVM’s Champlain Valley Physicians Hospital in Plattsburgh, New York. But the physicians' offices are continuing to rely on computer downtime services, including paper processes for communicating care. Patients were told to expect “slight delays.”

Outside of these delays, all other sites appear to be functioning as normal, as they were not as severely impacted by the incident.

“The University of Vermont Health Network is making steady progress toward restoring systems to normal operations following last week's cyberattack event,” officials explained. “We are dedicating additional internal resources to augment the effort.”

“Our IT team is reviewing hundreds of different patient care and operations applications to ensure our systems are secure and have temporarily blocked incoming email as part of that work,” they added. “We still do not know when full restoration will be complete.”

St. Lawrence Health System Incident

St. Lawrence Health System continues to operate under EHR downtime procedures, after falling to a ransomware attack one week ago. At the time, officials confirmed Ryuk was behind the attack. The infection was caught early, and officials have yet to provide a public update on its recovery efforts.

These attacks, combined with the joint alert from the FBI, Department of Health and Human Services, and the Department of Homeland Security should spur healthcare providers to employ preventative measures immediately to prevent falling victim.

On average, ransomware causes about 15 days of downtime with an average ransom demand of $111,000. As COVID-19 numbers continue to rapidly rise across the country, EHR downtime procedures can seriously impact patient care and safety.

The Office for Civil Rights, Microsoft, and NIST, have all previously provided extensive insights on this prevalent and disruptive threat. Security researchers, the FBI, and a host of others all warn against paying the ransom demand, while the Department of Treasury noted those payments may pose a sanction risk.

Latest Health Data Breaches News