California Hospital Chain Facing Ransom, Service Disruption'IT Complications' at Prospect Medical Holdings Shut Down Ambulances, Appointments
An apparent ransomware attack has forced a California-based hospital chain to divert ambulances from its emergency rooms and cancel appointments for services. The group of 17 hospitals, 166 outpatient clinics and other practices across several states is still recovering after an IT systems shutdown.
Access to the internet, email and electronic health records is down, and doctors and nurses have resorted to using paper charts for patient notes, a receptionist at one of Prospect's California hospitals told Information Security Media Group early Friday morning. Prospect Medical Holdings is headquartered in Los Angeles but owns hospitals in California, Rhode Island, Connecticut, Pennsylvania and New Jersey, as well as dozens of outpatient facilities, imaging centers and doctor groups in several other states, including Arizona and Texas.
A spokesperson for Prospect Medical Holdings said the attack disrupted operations and the company immediately took its systems offline and launched an investigation with third-party security consultants.
"While our investigation continues, we are focused on addressing the pressing needs of our patients as we work diligently to return to normal operations as quickly as possible," the Prospect spokeswoman said in a statement provided Friday morning to ISMG.
On Thursday, many of Prospect Medical Holdings' facilities began to curtail or cancel various patient services as the company responded to the incident.
Prospect's Eastern Connecticut Health Network, which includes two hospitals and dozens of other care facilities in Connecticut, had been diverting ambulances to its emergency rooms for a period starting on Thursday and stretching into early Friday morning. A message posted Friday on ECHN's website lists several outpatient centers and other care locations that are closed temporarily as "all" Prospect facilities experience "IT complications."
The FBI's office in New Haven, Connecticut, is involved in the investigation of the attack, according to news site WFSB.
Prospect did not immediately respond to ISMG's request for additional details about the incident. A spokeswoman for Prospect's Crozer Health in Pennsylvania described the incident to The Philadelphia Inquirer on Thursday as a "ransomware attack that is Prospect-wide."
Prospect Medical Holdings is the latest U.S. hospital chain to experience a disruptive cyberattack affecting many facilities in multiple states.
Last fall, CommonSpirit, a nonprofit Catholic hospital chain that has 143 hospitals and 2,300 other care facilities in 22 states, suffered a ransomware attack that disrupted patient services at some of its facilities for weeks, costing the company an estimated $160 million at last count (see: CommonSpirit Ups Cost Estimate on Its 2022 Ransomware Breach).
Large healthcare organizations are especially attractive prey for many cybercriminals, some experts contend.
"These criminals may research targets based on their size and range of services to the community, as disrupting a network of healthcare facilities across a region would tend to increase the urgency in resolving the issue," said Michael Hamilton, founder and CISO of security firm Critical Insight.
"Additionally, with potential support or assistance from state actors, targets may be selected for the psychological effect on the community, and that's always a possibility given the geopolitical situation of the world right now," Hamilton said.
But it is not just the disruption of ransomware attacks that menace healthcare organizations. It is also the potential compromise to sensitive patient data, which is increasingly being exfiltrated and leaked on the dark web in these incidents.
"This is terrorism, and we need to start handling these gangs like we've handled other terrorists," Hamilton said.
In the meantime, healthcare and other organizations that operate facilities in multiple regions should take measures in advance to help prevent widespread impact across many locations in the event an attack, he said.
"Good network separation and strong access control - and that goes for user accounts as well. A user at a clinic should not have credentials that allow access to other facilities in the organization, and this is especially true for network administrators."