UVM Health Continues to Feel Effects of Ransomware Attack

June 24, 2021 - The University of Vermont (UVM) Health Network fell victim to a ransomware attack in late October, and recent reports reveal that the network is still working to recuperate after losing upwards of $63 million. According to a report from local news outlet WCAX, the hospital is insured for $30 million, and will have to make up for additional costs on its own.

UVM Medical Center was hit the hardest, with malware infecting all 5,000 of its computers. The October 28th ransomware attack led to significant EHR downtime, which led to elective procedures being rescheduled. UVM Health confirmed that access to its EHR system was restored by November 23rd.  A statement released on December 22nd confirmed the malicious nature of the attack.

“Today, we shared more information about the attack and our response, and confirmed that it was ransomware. Our IT staff did find a note, which did not request money, but included instructions to contact the criminals responsible for the attack. UVM Health Network leaders did not follow those instructions and instead contacted the FBI,” the December statement reported.

According to the statement, no personally identifiable information (PII), employee information, or protected health information (PHI) was exposed during the attack. UVM Health’s IT team took down its Epic EHR system, patient portal, and employee email in order to protect valuable health data.

“However, since the ransomware destroyed the computer infrastructure on which the encrypted data resided, it took a significant amount of time for us to rebuild those systems. This sort of destruction is not usually a component of a ransomware attack, but it was a key aspect of the one that hit the UVM Health Network on October 28,” the statement said.

“IT staff had to rebuild the entire infrastructure before re-populating it with backed up files and data, in addition to scanning and cleaning 5,000 computers and endpoints that had been infected.”

In light of the attack, UVM Health had to furlough or reassign 300 UVM Medical Center employees who could not do their jobs because of the attack, according to Seven Days. Even months later, the financial impact of the attack is still being felt.

UVM Health did not engage with the attackers or pay the ransom, and the FBI is still investigating the attack. Because the health network is still calculating its losses, the true financial impact likely will not be known until insurance negotiations are complete.

The Green Mountain Care Board (GMCB), which approves hospital budgets for the state of Vermont, stated that the cost of the attack will surely surpass the insurance coverage. GMCB Chair Kevin Mullin acknowledged that the hospital’s quick response time will aid in reducing costs, but cyberattack prevention costs will have to play a big role in future budgeting.

“This will help us in the coming hospital budget process because we’ll be asking other hospitals what other measures they’ve taken, what insurance policies do they have, what steps has their IT department taken to mitigate the damage of an attack?” Mullin told WCAX.

Other hospital systems continue to be hurt financially as ransomware attacks ravage the healthcare industry. Scripps Health, a major hospital system in San Diego, California, is now facing two class-action lawsuits after a ransomware attack that plaintiffs say was preventable.