By Jonathan Mattise
Associated Press
NASHVILLE, Tenn. 鈥 A ransomware attack has prompted a healthcare chain that operates 30 hospitals in six states to divert patients from at least some of its emergency rooms to other hospitals, while putting certain elective procedures on pause, the company announced.
In a statement Monday, Ardent Health Services said the attack occurred Nov. 23 and the company took its network offline, suspending user access to its information technology applications, including the software used to document patient care.
The Nashville, Tennessee-based company said it cannot yet confirm the extent of any patient health or financial information that has been compromised. Ardent says it reported the issue to law enforcement and retained third-party forensic and threat intelligence advisors, while working with cybersecurity specialists to restore IT functions as quickly as possible. There鈥檚 no timeline yet on when the problems will be resolved.
Ardent owns and operates 30 hospitals and more than 200 care sites with upwards of 1,400 aligned providers in Oklahoma, Texas, New Jersey, New Mexico, Idaho and Kansas.
All of its hospitals are continuing to provide medical screenings and stabilizing care to patients arriving at emergency rooms, the company said.
鈥淎rdent鈥檚 hospitals are currently operating on divert, which means hospitals are asking local ambulance services to transport patients in need of emergency care to other area hospitals,鈥 the company said on its website. 鈥淭his ensures critically ill patients have immediate access to the most appropriate level of care.鈥
The company said each hospital is evaluating its ability to safely care for patients at its emergency room, and updates on each hospital鈥檚 status will be provided as efforts to bring them back online continue.
There was no immediate claim of responsibility for the attack. Ransomware criminals do not usually admit to an attack unless the victim refuses to pay.
[RELATED: Cyber alert 鈥 Public safety systems are currently under attack]
鈥淭he attack against Ardent Health is both egregious and quickly becoming the norm,鈥 said Allan Liska, an analyst at the cybersecurity firm Recorded Future. 鈥淪tories like patients being turned away from emergency rooms, hospitals being forced to resort to pen and paper for patient care, or hospital personnel unable to access medical records are increasingly common.鈥 He believes the problem is getting worse.
While some groups won鈥檛 attack hospitals, 鈥渢hey are greatly outnumbered by those who will and with the number of ransomware groups growing every day, the percentage who won鈥檛 attack hospitals is constantly decreasing,鈥 Liska said. 鈥淗ealthcare, in general, is an attractive target for these groups because there is a perception that they are more likely to pay, even though the evidence suggests otherwise.鈥
A recent global study by the cybersecurity firm Sophos found nearly two-thirds of healthcare organizations were hit by ransomware attacks in the year ending in March, double the rate from two years earlier but a slight dip from 2022. Education was the sector most likely to be hit, with attack saturation at 80%.
Increasingly, ransomware gangs steal data before activating data-scrambling malware that paralyzes networks. The threat of making stolen data public is used to extort payments. That data can also be sold online. Sophos found data theft occurred in one in three ransomware attacks on healthcare organizations.
[RELATED: Why cybersecurity is important for EMS leaders]
Analyst Brett Callow at the cybersecurity firm Emsisoft said 25 U.S. healthcare systems with 290 hospitals were hit last year while this year the number is 36 with 128 hospitals. 鈥淥f course, not all hospitals within the systems may have been impacted and not all may have been impacted equally,鈥 he said. 鈥淎lso, improved resilience may have improved recovery times.鈥
鈥淲e鈥檙e not in a significantly better position than in previous years, and it may actually be worse,鈥 he said.
鈥淲e desperately need to find ways to better protect our hospitals. These incidents put patients lives at risk 鈥 especially when ambulances need to be diverted 鈥 and the fact that nobody appears to have yet died is partly due to luck, and that luck will eventually run out,鈥 Callow added.
Most ransomware syndicates are run by Russian speakers based in former Soviet states, out of reach of U.S. law enforcement, though some 鈥渁ffiliates鈥 who do the grunt work of infecting targets and negotiating ransoms live in the West, using the syndicates鈥 software infrastructure and tools.
The Kremlin tolerates the global ransomware scourge, in part, because of the chaos and economic damage to the West 鈥 and as long its interests remain unaffected, U.S. national security officials say.
While industries across the spectrum have been hit by ransomware, a recent attack on China鈥檚 biggest bank that affected U.S. Treasury trading represented a rare successful attack on a financial institution.