Some Prospect Medical Hospitals in Dire State, Post-AttackContinued Operation of 3 Connecticut Hospitals Now in Question
An August cyberattack on a national hospital chain may make medical care in underserved areas of Connecticut even harder to obtain now that a would-be buyer said it's having second thoughts about going through with the deal.
Hackers from the Rhysida ransomware-as-a-service group claimed responsibility for an attack on Prospect Medical that forced the hospital chain's IT systems to go offline for several weeks following an Aug. 1 discovery of the intrusion (see: California Hospital Chain Facing Ransom, Service Disruption).
Prospect Medical reported Friday to regulators that the cyberattack compromised the protected health and personal information of more than 190,000 individuals.
Swept up in the attack were Prospect's three Connecticut hospitals, which have been under an acquisition agreement with another healthcare provider.
The prospective buyer - Yale New Haven Health - said it is having serious second thoughts about going through with a deal it struck in October 2022 to purchase Prospect Medical's three hospitals and its other related Eastern Connecticut Health Network operations.
That includes Waterbury Hospital, which has 357 beds; Manchester Memorial Hospital, which has 249 beds; and Rockville General Hospital in Vernon, Conn., which has 102 beds. The federal government classifies central Waterbury as a "medically underserved area." The other two hospitals are in areas where portions of the populace such as low-income residents find it difficult to find medical care.
Federal authorities say little is known about Rhysida's origins or country affiliations. But the pattern of Rhysida's targets loosely aligns with Russian-speaking ransomware groups that avoid hacking targets located in former Soviet or eastern bloc countries.
So far, Prospect's ongoing investigation into the incident has determined that an "unauthorized party" gained access to its IT network between July 31 and Aug. 3, acquiring files containing information pertaining to Prospect Medical employees and dependents, and patients, the organization's sample breach notice said.
"We have mounting concerns about the viability of our transaction with Prospect Medical Holdings to acquire substantially all the assets of Waterbury and ECHN hospitals," Yale New Haven Health said in a statement provided to Information Security Media Group on Monday.
"Our concerns include the deteriorating condition of the Waterbury and ECHN hospitals, particularly in light of the cyberattack last month, and the State Office of Health Strategy process to review the certificate of need application that we filed last November," Yale New Haven Health said.
"To salvage the acquisition of these community hospitals, we have proposed a multi-party recovery plan. We are engaged in conversations with Prospect about the plan, and we stand ready to engage with the state. We believe that every day that passes without a path forward puts the transaction more at risk."
California-based Prospect Medical Holdings, which operates 16 hospitals, 166 outpatient clinics and other practices across fives states, did not immediately respond to ISMG's request for comment.
Prospect Medical's cyberattack forced many cancellations of procedures and the diversion of patients to other facilities. In some cases, the attack still hampers hospital billing to payers such as Medicaid, according to the Hartford Courant.
During a meeting last week, Prospect Medical hospital executives told state legislators that their hospitals' financial problems, which were exacerbated by the cyberattack, are now dire. The medical centers are struggling to pay vendors, even bills for bed linens, the Hartford Courant reported.
The Courant also reported that the hospital executives warned lawmakers during the meeting that if the state did not move fast to finalize the sale of the Prospect Medical hospitals to Yale New Haven Health, the three hospitals may no longer be financially viable.
Prospect Medical is not the first healthcare organization to have already-serious financial issues and other challenges significantly worsen in the aftermath of a disruptive cyberattack.
In June, St. Margaret’s Health, a small rural hospital in Illinois shut down permanently due in large part to being unable to bounce back from a 2021 ransomware attack (see: Rural Healthcare Provider Closing Due in Part to Attack Woes).
Poor cybersecurity at struggling hospitals is part of a vicious cycle, said Brett Callow, threat analyst at security firm Emsisoft.
"It seems probable that organizations that have unhealthy financials are less likely to invest in cybersecurity, less likely to respond to an incident effectively, and less likely to recover from an incident," he said.
"In the case of hospitals and other critical infrastructure providers this represents a significant problem as it means incidents can have a serious and potentially risk-to-life impact," he said.
Mike Hamilton, co-founder and CISO of security firm Critical Insight, urged hospitals to at least take key measures to help prevent falling victim to cyberattacks.
"Based on the most prevalent methods used to compromise healthcare organizations, two areas need focus. Users should have extremely limited access to the Internet - ideally that access should be on a personal, not company device. Second, develop process for rapidly addressing public-facing vulnerabilities," he said.