St. Joseph’s/Candler Back Online After Ransomware Attack

August 20, 2021 - St. Joseph’s/Candler (SJ/C), Savannah, Georgia’s largest health system, is once again fully operational after suffering a ransomware attack earlier this year that exposed protected health information (PHI), according to a report from local news outlet Savannah Morning News.

The cyberattack forced the health system into EHR downtime, and providers were required to document clinical notes on pen and paper. The breach impacted 1.4 million individuals, said the HHS Office for Civil Rights (OCR).

The breach was detected on June 17, but further investigations revealed that an unauthorized third party accessed the health system’s IT network as early as December 18, 2020.

St. Joseph’s/Candler initially posted a statement on its Facebook page when it became aware of suspicious activity on June 17, and released an official press release on August 10. The health system recently began mailing letters to impacted patients and employees.

“SJ/C cannot rule out the possibility that, as a result of this incident, files containing patient and co-worker information may have been subject to unauthorized access,” the August 10 press release stated.

“This information may have included individuals' names in combination with their addresses, dates of birth, Social Security numbers, driver's license numbers, patient account numbers, billing account numbers, financial information, health insurance plan member ID numbers, medical record numbers, dates of service, provider names, and medical and clinical treatment information regarding care received from SJ/C.”

The health system, which is comprised of 116 service locations, did not cancel any surgeries or procedures. However, telecommunications and computer systems were inaccessible for a period of time, and cancer patients were asked to verify appointments.

"We're fully operational right now," Paul Hinchey, CEO and president of St. Joseph’s/Candler, told Savannah Morning News.

"There are a few hotspots where we have to change out computers. But in terms of the hospital...we're back electronically, which was a big change for us, because we went from a fully integrated system to a paper system, and we haven't done that in 25 years."

The provider is offering impacted individuals free credit monitoring and identity protection services. Additionally, SJ/C said it will implement enhanced security and adopt cybersecurity safeguards to prevent future cyberattacks.

On top of the strain brought on by COVID-19, cyberattacks are wreaking havoc on the healthcare sector. Financial and operational disruptions make it difficult for hospitals to ensure quality patient care while also protecting valuable health data.

However, a recent survey by CyberMDX and Philips found that most hospital IT teams do not consider cybersecurity a high investment priority. Almost half of surveyed health IT and information security executives reported being forced to shut down operations in the last six months because of a cyber threat.

Large hospitals facing a cyber threat tend to incur costs of up to $21,500 per hour for an average of 6.2 hours, while midsize hospitals are typically shut down for around 10 hours at a rate of $45,700 per hour, the survey found.

But only 11 percent of respondents said that cybersecurity is a high priority spend at the moment, and over half admitted that their hospitals were unprotected against Bluekeep, WannaCry, and NotPetya, some of the most common cybersecurity vulnerabilities.

Some larger providers like SJ/C have the resources to update their cybersecurity strategies, but smaller hospitals are struggling to find room in their budgets for cybersecurity investments.