IL Rural Hospital Cites Cyberattack As Factor in Closing Doors

June 13, 2023 - St. Margaret’s Health will close the doors of its Spring Valley and Peru, Illinois locations on Friday, June 16, in part due to a cyberattack that it suffered in 2021. A ransomware attack on St. Margaret’s Health –Spring Valley in February 2021 drove the hospital into EHR downtime and prevented it from submitting claims to insurers for months, NBC News reported.

The rural hospital was founded in 1903 by the Sisters of Mary of the Presentation. In 2021, St. Margaret’s Hospital in Spring Valley and Illinois Valley Community Hospital (IVCH) in Peru consolidated their operations to form a regional health network run by the SMP Health ministry. Illinois Valley Community Hospital was renamed St. Margaret’s Health – Peru.

But by January 2023, St. Margaret’s Health – Peru had temporarily suspended all inpatient hospital services, including the Emergency Room & Obstetrics. 

“St. Margaret's Health has diligently tried to integrate the Illinois Valley Community Hospital into St. Margaret's Health so that the two hospitals and their clinics could maintain health care for the people of the Illinois Valley and the surrounding areas,” said Suzanne Stahl, chair of SMP Health, in a video posted on Facebook.

“Rural hospitals are struggling throughout the nation and many have already closed. Due to a number of factors such as the COVID-19 pandemic, the cyberattack on the computer system of Saint Margaret's Health, and a shortage of staff, it has become impossible to sustain our ministry.”

READ MORE: Revenue Cycle Vendor Discloses Breach Tied to Fortra GoAnywhere Hack

St. Margaret’s Health has since signed a non-binding letter of intent with OSF HealthCare, a nonprofit Catholic Healthcare organization, to acquire the Peru campus and its related ambulatory facilities.

Melanie Malooley-Thompson, mayor of Spring Valley, posted a statement on Facebook regarding the closure, emphasizing the impact that this closure will have on Spring Valley residents.  

“The private owners decided on the hospital's fate, and we were not given prior notice or an opportunity to work together to find a solution. While we all strongly disagree with the closure of this facility, we understand the financial constraints prevent them from keeping the doors open past June 16, 2023,” Malooley-Thompson stated.

“The hospital closure will have a profound impact on the well-being of our community. This will be a challenging transition for many residents who rely on our hospital for quality healthcare.”

A 2021 Government Accountability Office (GAO) report found that between 2012 and 2018, the median travel distance to a hospital increased by about 20 miles in areas where a rural hospital had closed.

READ MORE: HC3 Guidance Explores Cyber Threat Actors Targeting Healthcare

GAO also observed that even prior to COVID-19, many rural hospitals were in financial distress in the years leading up to their closure. What’s more, cyber threats can be difficult to tackle as rural hospitals are less likely to have the financial and staffing resources to devote to mitigating cyber risk.

“It's important to note that the ransomware attack, while significant, is not the only thing leading the organization to close its doors. Unfortunately, while these attacks are not often the primary reason for an organization to shut down, the significant additional stress and financial impact caused by one of these attacks can be a major factor,” Erich Kron, security awareness advocate at KnowBe4, told HealthITSecurity.

“This is an important thing to understand as in many organizations when finances become lean, it's very tempting to reduce budget for things like cybersecurity. Many organizations have suffered the effects of ignoring cybersecurity in favor of the bottom line, only to find out it was a poor decision.”

United States Senators are aiming to reduce this disparity via the Rural Hospital Cybersecurity Enhancement Act, introduced by Senators Josh Hawley (R-MO) and Gary Peters (D-MI) in May.

If passed, the act would require the Cybersecurity and Infrastructure Security Agency (CISA) director to develop a “comprehensive rural hospital cybersecurity workforce development strategy.” In addition, the act would require the CISA director to create instructional materials to help rural hospitals train staff on key cybersecurity measures. 

READ MORE: Cybersecurity Incident at MercyOne Triggers Potential Patient Data Loss

“For organizations that are struggling financially, it is important that they are very intentional about where they spend their cyber budget,” Kron added. “Many organizations spend a considerable amount on advanced technical products while ignoring or minimizing efforts to reduce the things that cause most data breaches and malware infections, such as email phishing attacks.”

Focusing on employee education in addition to technical controls is a more cost-effective way to reduce risk.