Cyber Incident Victim: Hospital Sisters Health System

On or around August 25, 2023, the Hospital Sisters Health System (HSHS) began experiencing a severe and widespread system outage that impacted its entire infrastructure. The outage was not resolved after more than two days, indicating a significant and persistent disruption to normal operations. The incident affected a broad range of clinical and administrative applications critical to the daily functions of the healthcare system. This included outages to some phone systems and internet connectivity, severely hampering internal and external communications. The MyChart patient portal, a vital tool for patients to schedule and manage appointments, message care teams, pay bills, access test results, receive after-visit instructions, and request prescription refills, was also rendered unavailable due to the outage. The scope of the impact was extensive, affecting not only the core HSHS hospitals but also the HSHS Medical Group, Prairie Cardiovascular clinics, and Prevea Health, which partners with six HSHS hospitals across Wisconsin.

While HSHS officials did not immediately publicly confirm the root cause of the outage, external software experts indicated that all signs pointed to a cybersecurity attack. A computer consultant noted there was a very strong possibility the outage was the result of some sort of outside attack, citing the nature and scale of the disruption. The expert reasoned that a simple internet or equipment failure would typically affect a smaller, more localized area, such as a specific neighborhood or a single location. However, the fact that the outage simultaneously impacted all of HSHS's numerous locations across Illinois and Wisconsin strongly suggested a malicious cyber incident rather than a routine technical failure. The consultant further explained that hospitals, along with other entities like law firms and government agencies, are considered high-value targets for cybercriminals due to their financial resources and the critical nature of their operations, making them prime targets for ransomware attacks.

The potential implications of such a cybersecurity breach were described as severe and multifaceted. If a breach did occur, a number of critical assets could be at risk, including the safety and care of patients currently hospitalized. There have been instances in other healthcare organizations where cybersecurity attacks led to the cancellation of surgeries and the inability to administer medication and prescription drugs, directly impacting patient health outcomes. Beyond the immediate disruption to patient care, the incident posed a significant threat to vast quantities of sensitive data. This included confidential patient information, employee data, and proprietary company data, all of which could have been compromised during the attack. The healthcare system was forced to acknowledge that the outage was causing considerable inconvenience for patients and that services were taking longer to schedule or receive.

In response to the ongoing crisis, HSHS established a dedicated webpage to provide updates to the public and stakeholders, acknowledging the severity of the situation and the efforts being undertaken to resolve it. The organization expressed gratitude to its caregivers, colleagues, and physicians who were persevering to ensure the continuation of services despite the overwhelming challenges posed by the system-wide failure. Patients were instructed via the HSHS Medical Group's Facebook page to keep their in-person appointments, indicating that clinical operations were continuing through alternative, likely manual, processes. The organization's vision to provide exceptional care centered on the whole person was upheld by clinicians and partners working to ensure patients could receive the care and services they needed as quickly and as safely as possible under the extraordinary circumstances.

The incident response process was likely complex and involved enacting pre-established incident response plans. It was suggested that HSHS probably brought in outside help to assist with the remediation efforts, as specialized companies exist to handle such cybersecurity incidents, including firms that negotiate ransoms on behalf of targeted companies. The consultant emphasized the inherent difficulty in defending against such attacks, noting that while cybersecurity professionals must secure every potential vulnerability perfectly, threat actors only need to find a single unpatched system or one security hole to gain access and cause widespread damage. The stress on all stakeholders, including the company, its employees, and its patients, was described as immense, with a great deal at risk throughout the duration of the incident.

Following the initial attack and the work to restore systems, HSHS began the arduous process of reviewing the data that was potentially impacted. This review process was described as needing time to be both thoughtful and thorough. On October 26, 2023, in accordance with applicable laws and regulations, HSHS began notifying individuals whose personal information may have been involved in the incident. The notifications were conducted on a rolling basis as the data review process continued to progress. Any individual whose data was involved was to receive a letter from the HSHS System Privacy Officer mailed to the address on file. This letter contained important and relevant information about the incident and detailed the support being provided to those affected. The organization reiterated its deep value for the trust its communities place in it and thanked the public for their patience as it continued to manage the aftermath of the event with attention, care, and diligence.