Security news that informs and inspires

Universal Health Services Network Knocked Offline

UPDATE--Universal Health Services, one of the larger health care systems in the U.S., was hit by an attack over the weekend that has affected most of the company’s facilities and resulted in network shutdowns across the company and patients being diverted to other hospitals in some locations.

Details of the incident are thin and come mainly from a Reddit discussion among employees at UHS facilities around the country. From the discussion, it appears that the incident began sometime on Friday and escalated over the weekend, with many facilities being affected by Sunday night. Employees reported being told to leave computers turned off for the time being, doing charts and medical records by hand, and some emergency rooms and other departments diverting patients to other hospitals. UHS released a statement Monday afternoon saying that the company’s IT network is currently offline because of a security incident.

“The IT Network across Universal Health Services (UHS) facilities is currently offline, due to an IT security issue. We implement extensive IT security protocols and are working diligently with our IT security partners to restore IT operations as quickly as possible. In the meantime, our facilities are using their established back-up processes including offline documentation methods. Patient care continues to be delivered safely and effectively,” the statement says.

“No patient or employee data appears to have been accessed, copied or otherwise compromised.”

While the attack bears some of the hallmarks of a typical ransomware attack, with computers freezing and some displaying ransom messages and the effects of the attack cascading through various networks over time, a company spokesman said UHS is not confirming that ransomware is involved. Several comments in the Reddit thread mentioned the Ryuk ransomware strain as the culprit. Ryuk is known for targeting enterprise environments exclusively and it has been distributed through a number of mechanisms, but mostly through spam emails that include either TrickBot or Emotet in an attachment. Emotet and TrickBot have been used as initial infection vectors on corporate networks, which are then exploited to deploy Ryuk.

Ransomware attacks against hospitals and other health care facilities have become quite common in the last few years as attackers have focused their attention on organizations that can not afford to have extensive downtime or data loss. Both of those problems are especially severe in hospitals, where delays can have serious consequences for patient care.

UHS operates more than 400 facilities in the U.S. and the U.K. and had $11.4 billion in revenue in 2019.

On Tuesday, UHS released an update saying that patient care was continuing while the company worked to restore its systems.

"The Company has implemented extensive information technology security protocols and is working diligently with its security partners to restore its information technology operations as quickly as possible," the statement says.

In the meantime, while this matter may result in temporary disruptions to certain aspects of our clinical and financial operations, our acute care and behavioral health facilities are utilizing their established back-up processes including offline documentation methods. Patient care continues to be delivered safely and effectively.

This story was updated on Sept. 29 to add the new statement from UHS.