Ascension, one of the largest health systems in the United States with 140 hospitals, was struck by a cyberattack that affected computer systems across the country and impacted patient care, the system said in a statement Thursday.
The nonprofit chain said it detected the hack Wednesday and took immediate steps. News reports from Florida, Kansas and elsewhere said ambulances were told to take emergency patients to alternative hospitals.
Patient record systems and medication prescribing systems were among systems affected, requiring doctors and staff to use paper records, according to the local reports.
“There has been a disruption to clinical operations, and we continue to assess the impact and duration of the disruption,” the system said in a statement Thursday morning. It did not offer details about the nature or extent of the impact on patients. It said access to some systems had been disrupted “as this process continues.”
It said it was investigating which records were compromised. “Should we determine that any sensitive information was affected, we will notify and support those individuals in accordance with all relevant regulatory and legal guidelines,” it said.
The Catholic-affiliated Ascension, among the five largest networks in the United States by number of hospitals, is headquartered in St. Louis with operations in 19 states. It reported total revenue of $28.3 billion in 2023.
The hack comes as government and health-care officials focus renewed attention to cybersecurity in the wake the hacking of Change Healthcare, a subsidiary of UnitedHealth Group that is responsible for processing a vast amount of medical claims nationwide.
The cyberattack and ensuing outage disrupted operations across the country’s pharmacies, hospitals and medical practices, preventing them from getting paid and leaving consumers unable to use coupons they rely on to afford prescription drugs.
Health-care providers largely have been able to blunt direct impacts to patient care over the course of the Change Healthcare hack, even as they’ve taken out loans and resorted to filing medical claims on paper.
United Health Group’s chief executive, Andrew Witty, disclosed last month in a Senate hearing that it paid $22 million in bitcoin to hackers who targeted subsidiary Change Health and shut down medical billing systems across the country.
The vulnerability and United Health’s response came under intense criticism from lawmakers. In that hack, the criminals accessed computers using compromised credentials, entering through a system that did not require multifactor authentication.
Ascension said it had turned to a third-party contractor, Mandiant, to help it investigate and work on restoring service. It said it has notified other businesses that interact with its computers so they can take steps to protect their own systems, which often means disconnecting.
“Our care teams are trained for these kinds of disruptions and have initiated procedures to ensure patient care delivery continues to be safe and as minimally impacted as possible,” Ascension said.
Hackers in recent years increasingly have targeted U.S. medical systems with ransomware, which involves infiltrating an organization’s network and using malicious code to lock up its data. The FBI’s internet Crime Complaint Center received reports of 249 ransomware attacks on health-care infrastructure last year, the most of any sector it tracked, according to an annual summary released in March.