Cybersecurity News

Scripps Reports Data Theft, EHR Back Online, but Global Outages Persist

Providers swept up in the latest ransomware wave are in various stages of recovery. Leading this cyber roundup: Scripps Health has brought its EHR back online four weeks after an attack.

Scripps Health brings EHR back online four weeks after ransomware attack, but Ireland and New Zealand Hospitals are still struggling in EHR downtime

By Jessica Davis

- Scripps Health has restored the majority of its network and brought its Epic EHR back online, four weeks after falling victim to a ransomware attack, according to a May 27 status update. 

The health system is seeing an uptick in phone calls and patient requests via its patient portal, as the network is brought back to normal operations.

“We continue to make progress. When you come in for care, your medical history is again at our fingertips electronically, and we’ve increased capacity at our internal call center to help answer patients’ questions,” Scripps President, CEO Chris Van Gorder said in an earlier update.

“Our IT teams and outside consultants are literally working around the clock to restore our systems,” he added. “Rest assured, we have thorough backups and are using them to help our restoration efforts. Even so, there is no ‘easy-button.’”

However, a June 1 update revealed that the investigation has determined the attackers gained access to the network, deployed malware, and exfiltrated copies of data on April 21.

READ MORE: CISA: VMware Patches Critical Server Flaw, Warns of Ransomware Threat

On May 10, officials said they were able to access a small number of documents tied to the initial attack, some of which were found to be patient information. As the investigation is ongoing, it's unclear what information is contained in the remaining stolen documents.

For now, officials have confirmed that the data varied by patient and could include names, contact details, dates of birth, health insurance information, medical record numbers, patient account numbers, and or clinical information, like provider names, dates of service, and/or treatment information.

About 2.5 percent of patients also had Social Security numbers and drivers' license numbers compromised during the incident.

The investigation also determined Scripps’ electronic medical record application was not accessed during the attack. The data was instead stolen from other documents stored on our network.

The early notification is an important step for patient privacy in light of the data theft. Under HIPAA, notifications are due 60 days after a breach is discovered. By quickly notifying patients, efforts can be made to protect their data and to avoid falling for scams.

READ MORE: 207K Rehoboth McKinley Patients Tied to Conti Ransomware, Data Leak

Currently, the data has not been posted or publicly leaked by the attackers.

The attack struck in the early hours of May 1, forcing the health system to revert to its pre-established EHR downtime procedures amid its recovery efforts.

Telemetry was affected at many care sites and operations were disrupted at two out of four Scripps hospitals. The website and backup servers were also brought offline. Some critical patients were diverted to other area hospitals in the days following the attack, and other appointments were delayed.

Outpatient urgent care centers, Scripps HealthExpress locations, and emergency departments remained open throughout the attack. But all four main hospitals in Encinitas, La Jolla, San Diego, and Chula Vista were placed on emergency care diversion for stroke, heart attack, and trauma patients.

Law enforcement and an outside cybersecurity team have been assisting Scripps with its recovery efforts and investigation, while the California Department of Health (CDPH) later confirmed the outages were caused by ransomware and reported the agency was monitoring the incident.

READ MORE: Allergy Partners: Data Stolen During Ransomware Attack, EHR Outage

Scripps partnered with Quest Diagnostics and LabCorp during the recovery efforts to support its imaging and lab services during the outages. Its website was brought back online last week.

The investigation is ongoing, and some systems still need to be brought back online, according to local news outlet the San Diego Union-Tribune. The employee terminals are taking longer than anticipated to recover, which will better support front-line clinicians with digitally documenting patient care.

It’s yet to be determined whether patient, employee, or business data was impacted by the attack. Van Gorder previously noted attackers are using information reported to the public for sending scam communications to the organization.

“I know that, for some of you, the reasons why we haven’t provided more frequent updates may not matter. But it was important for me to share and assure you that our patients’, employees’, and physicians’ safety and security are our constant guides,” he explained.

Ireland HSE Attack

The Ireland Health Service Executive is continuing to experience widespread delays, IT outages, and EHR downtime more than two weeks after a significant ransomware attack by Conti threat actors. The HSE is the country’s primary public health and social services provider.

The latest update on May 28 shared that the HSE shut down the hospital and health IT services to protect against further system intrusions. The IT team is continuing to safely and effectively restore the impacted systems.

HSE officials first reported the attack on May 14 and have provided frequent and transparent notices about the incident to the public. Those insights include directions to staff to keep devices offline to stymie the impact.

The attack has caused significant outages across the health system. Though patient care has continued throughout the incident, patients have been repeatedly warned to expect serious delays and to only visit emergency sites in cases of life-threatening conditions.

The website notices explain emergency departments remain open for all medical emergencies, but are very busy due to the IT outages. Most appointments have continued, but many X-ray appointments have been cancelled.

Some hospitals were forced to cancel all patient appointments, while most community health services such as disability, mental health, primary care and older people’s services are continuing to operate as normal. Appointments will be rescheduled as soon as possible.

“Online services affected by the cyber attack include medical card applications and GP visit card applications. There are delays with issuing birth, death or marriage certificates. The processing of requests for records under the FOI Act and Data Protection Acts are also affected,” according to the HSE.

The HSE has received widespread support from industry partners, law enforcement, and others. While the Conti group provided the HSE with a decryptor following the media blowback, officials said the tool was flawed and raised serious security concerns.

Instead, third-party security firm Emsisoft provided a decryptor tool that would be tailored to the health system. Emsisoft has been providing all healthcare entities with ransomware support throughout the COVID-19 pandemic.

Despite the progress, the May 28 update warns the system restoration could take days or even weeks more. Further, it’s taking clinicians longer to manage care because many of the hospitals’ systems are simply not working.

Some previous reports warned the attackers may have stolen and leaked patient data amid the incident. While the latest notices are not explicit on the impact to patient data, the update warned that officials are “doing all we can to protect and recover the data.”

ALASKA DHSS WEBSITE ATTACK

The website for the Alaska Department of Health and Social Services remains offline more than one week after a malware infection on May 17, prompted the IT to take the site down to investigate.

Other DHSS sites impacted by the malware include the public website, Behavioral Health and Substance Abuse Management System, the background check system, the system for schools to report vaccine data, vital statistics system, and a host of others.

Fortunately, the COVID-19 vaccine appointment scheduling and data dashboards remain unaffected, as the platforms are hosted by outside sources. The investigation is ongoing and no public statements have been made since the attack was announced earlier last month.

Cyberattack on New Zealand Hospitals

Two weeks after falling victim to a ransomware attack, the New Zealand Waikato District Health Board (DHB) reports there are continued patient care delays and IT disruptions at the Waikato, Te Kuiti, Taumarunui, Thames, and Tokoroa hospitals and its community-based services.

The latest update revealed that some clinics are completely shut down in direct response to the attack, including neurosurgery, cardiology, and vascular departments.

Urology is closed for patients, unless the clinic directs the individual, while the plastics department is closed outside of urgent patients and those in need of wound care. Neurology clinics remain down this week, as well, outside of some specialist services.

Meanwhile, the radiation department is contacting patient to discuss alternative plans. Acute surgeries are continuing, as well as planned elective surgeries, as long as they can be safely performed.

Further, officials warned that cybercriminals have attempted to scam patients in response to the incident, and patients are being urged to be on high alert.

The DHB is working with the country’s privacy commissioner, National Cyber Security Centre, and the Government Communications Security Bureau on the investigation into the attack. 

As previously reported, the New Zealand hospitals were struck by a ransomware attack on May 18, crashing phone lines and computers across the health system. The attack targeted the IT system, disrupting all clinical systems and IT services except email.

The attack mirrors the Ireland HSE incident, with patients being urged not to visit the emergency department for non-life-threatening conditions. Providers can’t send X-ray images between departments, and local media shows the attack has caused turmoil at the impacted sites.

Clinicians are continuing to employ pen and paper and other manual processes for patient treatment, as the recovery team continues to bring systems back online.

These attacks should serve as a reminder to US healthcare provider organizations, particularly as they continue to respond to the pandemic. As seen with the four-week-outage at Universal Health Services in the fall, ransomware attacks can cause as much as $67 million in recovery costs and lost revenue.