A Nashville, Tenn.-based healthcare company, Ardent Health Services, has been hit with ransomware, causing its facilities to reschedule elective procedures and divert some emergency room patients to other local hospitals until systems are back online.
Ardent owns and operates 30 hospitals and 200 healthcare sites (including medical centers, cancer centers, rehabilitation centers and more) across six states. The healthcare provider first became aware of the attack on Nov. 23, and is currently working with third-party threat intelligence and forensic companies, as well as law enforcement, to investigate the attack and restore access to electronic medical records and other clinical systems, like MyChart and on-demand video visits.
“Ardent’s information technology (IT) team immediately began working to understand the event, safeguard data, and regain functionality,” according to the company in an update on its website on Monday. “As a result, Ardent proactively took its network offline, suspending all user access to its information technology applications, including corporate servers, Epic software, internet and clinical programs.”
Patient care is mostly being delivered across Ardent hospitals, emergency rooms and clinics. However, its hospitals are currently operating on divert, meaning they are asking local ambulance services to transport emergency care patients to other hospitals in the area. At the same time, some “non-emergent, elective” surgeries have been paused temporarily.
“Healthcare providers simply can't keep up with the ever-changing tactics of ransomware groups and many ransomware groups are motivated to go after healthcare providers."
Ardent does not yet know the extent of patients' health or financial data that has been compromised, and it has not yet said how the attack first occurred.
“On the surface, this attack appears to be really bad,” said Allan Liska, threat intelligence analyst with Recorded Future. “Disrupting emergency room access any time of the year is problematic, but it is especially terrible during the holidays where there are more patients being admitted.”
Security issues pose a big challenge for hospitals and healthcare providers, with a number of organizations - including CommonSpirit Health, Monongalia Health System and St. Joseph Candler Health System - being impacted over the past years. Some of these organizations, like Ardent Health Services, were forced to divert patients away from their emergency departments or reschedule appointments and surgeries. At the same time, the data that’s at stake in healthcare sector cyberattacks is also potentially extra sensitive, ranging from data about medical conditions to PII.
For ransomware actors, this sector has been a lucrative space. U.S. government agencies last year warned that a cybercrime group called Daixin Team had launched ransomware attacks specifically against the healthcare and public health sector, using security weaknesses around virtual private network (VPN) servers as an initial access vector. Liska said that so far, Recorded Future has tracked 316 publicly reported ransomware attacks against healthcare providers in 2023. In 2022, there were 245 publicly reported attacks, while in 2021 there were 290.
“Healthcare providers simply can't keep up with the ever-changing tactics of ransomware groups and many ransomware groups are motivated to go after healthcare providers,” said Liska.