Cyberattack hobbles Universal Health Services

Universal Health Services, a King of Prussia-based operator of 26 hospitals and 183 inpatient psychiatric facilities in 37 states, said Monday that its computer networks had been knocked offline by an unspecified “security issue.”

UHS, which operates seven psychiatric facilities in the Philadelphia region, said in a short statement posted on its website Monday that it is working “diligently with our IT security partners to restore IT operations as quickly as possible.”

“Patient care continues to be delivered safely and effectively” with “offline documentation,” the statement said. The company said that “no patient or employee data appears to have been accessed, copied or misused.”

UHS provided no details, but people posting to an online Reddit forum who identified themselves as employees said the chain’s network was hit by ransomware overnight Sunday. The posts echoed the alarm of a clinician at a UHS facility in Washington, who described to the Associated Press a mad scramble, including anxiety over determining, without being able to check digital records, which patients might be infected with the virus that causes COVID-19.

Ransomware is a growing scourge in which hackers infect networks with malicious code that scrambles data and then demand payment to restore services.

Increasingly, ransomware purveyors are downloading data from networks they infiltrate before encrypting targeted servers, using it for extortion. Earlier this month, the first known fatality related to ransomware occurred in Dusseldorf, Germany, after an attack caused IT systems to fail and a critically ill patient needing urgent admission died after she had to be taken to another city for treatment

In Washington, where UHS owns and operates George Washington University Hospital, a clinician described a high-anxiety effort to handle the loss of computers and some phones starting Sunday. The person, involved in direct patient care, was not authorized to speak publicly and described the chaotic situation on condition of anonymity.

The loss of computer access meant that medical staff could not easily see lab results, imaging scans, medication lists, and other critical pieces of information doctors rely on to make decisions. Phone problems complicated the situation, making it harder to communicate with nurses.

Hospitals have become frequent targets of ransomware.

In the United States alone, 764 providers were victimized last year by ransomware, according to the cybersecurity firm Emsisoft. It estimated the overall cost of ransomware attacks in the U.S. at $9 billion a year in terms of recovery and lost productivity. The only way to effectively recover, for those unwilling to pay ransoms, is through diligent daily data backups.

In June, Crozer-Keystone Health System suffered a malware attack that impacted certain health information, including lab testing information for some Crozer patients. “We believe that none of the impacted information is at risk for misuse or public disclosure,” Crozer said in an August statement.

UHS is one of the nation’s largest for-profit hospital operators and the largest operator of inpatient mental health facilities. In the Philadelphia region UHS owns Hampton Behavioral Health Center Westampton, Brooke Glen Behavioral Hospital in Fort Washington, Foundations Behavioral Health in Doylestown, the Horsham Clinic in Ambler, and Keystone Center in Wallingford, as well as Fairmount Behavioral Health System and Friends Hospital in Philadelphia.

None of its acute-are hospitals is in the Philadelphia region. The company also has facilities in Puerto Rico and Britain.

Staff writer Harold Brubaker contributed to this article.