Midwest Hospital Group Experiencing Systemwide IT Outage – Source: www.databreachtoday.com

Fraud Management & Cybercrime
,
Healthcare
,
Industry Specific

Incident Comes as Several Other Regional Providers Recover From Recent Attacks

Marianne Kolbasuk McGee (HealthInfoSec) •
August 29, 2023    

Two related healthcare organizations that operate dozens of clinics and 15 hospitals in the Midwest are the latest regional medical providers struggling with an enterprisewide IT outage affecting clinical and administrative applications.

See Also: Live Webinar | Unmasking Pegasus: Understand the Threat & Strengthen Your Digital Defense

IT systems and phones have been down systemwide since Sunday at Green Bay, Wisconsin-based Prevea Health and its sister organization, Springfield, Illinois-based Hospital Sisters Health System.

So far, Prevea Health and HSHS have not yet publicly stated whether the incident is tied to a cyberattack. But the IT disruption at organizations appears similar to IT outages still hampering several other regional healthcare providers in the aftermath of recent cyberattacks.

Those other entities include Prospect Medical Holdings, which is based in California but operates 17 regional hospitals and clinics in several states, and Singing River Health System, which has three hospitals and multiple medical facilities serving the Mississippi Gulf Coast region (see: Mississippi Hospital Systems Still Struggling With Attack).

Half of Prevea Health is owned by HSHS and half is owned by the medical group’s physicians. HSHS has 15 hospitals in Illinois and Wisconsin, and Prevea partners has six HSHS hospitals across Wisconsin. The two entities use the same electronic medical record system for all locations, according to Prevea.

In a joint statement posted Monday on Prevea’s website, the organizations said they are dealing with a “temporary” systemwide outage affecting clinical and administrative applications and communication, including the phone system, and MyChart and MyPrevea patient portals. On Tuesday, the HSHS website appeared to be completely offline.

“HSHS and Prevea have well-established downtime policies and procedures when we experience technology outages, and we are following those protocols and continuing to care for our patients with the same level of quality, safe and effective care,” the joint statement said.

“We acknowledge this outage is causing inconvenience for some patients and that services may take longer to schedule or receive.”

Prevea and HSHS did not immediately respond to Information Security Media Group’s request for comment and details about the outage.

Long-Lasting Impact

Meanwhile, a hospital worker at Singing River Health System in Mississippi told ISMG on Tuesday that the entity’s IT systems were still offline following its cyber incident that occurred over the weekend of Aug. 19. The entity declined ISMG’s request for additional details pertaining to the cyberattack and the status of the recovery.

In a statement to ISMG on Tuesday, Prospect Medical Holdings said it was still dealing with recovery work in the wake of the attack that hit it in early August, but IT systems are coming back online at some of its facilities.

“Prospect Medical’s computer systems are now substantially back up and running as normal in many of our markets and our hospitals, and affiliated providers are continuing to provide safe, quality care to patients following a data security incident that disrupted our operations,” the statement said.

“Work to input paper patient records used by our caregivers while our systems were down into our electronic medical record systems is ongoing.”

At least a dozen healthcare entities and related clinics have been forced into electronic health record
downtime during the first half of 2023 due to cyber incidents, said Toby Gouker, chief security officer for government health and risk management services firm First Health Advisory. “When systems are forced offline, patient safety, care morbidity due to delays, and care quality are at stake.”

But having to take IT systems offline to deal with a cybersecurity incident can also have far-reaching implications for healthcare sector entities in terms of financial impact.

“Data confirms that these outages can cost larger entities an average of $1 million per day in lost revenue and recovery costs,” Gouker told Information Security Media Group.

Just this month, Massachusetts-based health insurer Point32Health, which suffered a ransomware attack in April that compromised the personal information of more than 2.5 million individuals and disrupted IT systems for weeks, reported an adjusted net loss of $51.4 million for the six months ended June 30. Much of the loss was tied to the cyberattack.

The company said its adjusted net income includes an operating loss of $102.7 million and investment income of $51.3 million, excluding mark-to-market investment.

“Our operating results for the first six months of this year represent headwinds related largely to the cyber incident that are transient and one-time in nature,” said Scott Walker, chief financial officer at Point32Health, in the report.

Point32Health and its Harvard Pilgrim Health unit, which was directly affected by the cyberattack, are also facing several proposed federal class action lawsuits involving the data breach (see: Point32Health, Harvard Pilgrim Facing 4 Data Breach Lawsuits).