Cyber Incident Victim: Richmond University Medical Center

On or around May 4, 2023, Richmond University Medical Center (RUMC), a nearly 500-bed hospital located in Staten Island, New York, began experiencing intermittent network outages. These initial disruptions were the first signs of a significant cybersecurity incident. By the weekend of May 6-7, 2023, the intermittent outages escalated into a full-scale network outage, crippling the hospital's online services. The hospital confirmed the incident was a ransomware attack, a type of malicious software designed to block access to a computer system until a sum of money is paid. The precise initial attack vector and the specific ransomware variant deployed against RUMC were not publicly disclosed by the hospital.

The immediate impact of the attack was the forced implementation of network downtime procedures. Clinical staff and providers were compelled to adopt manual processes to monitor patients and enter data, as electronic systems were rendered inaccessible. This shift to paper-based operations introduced significant operational complications and increased the potential for human error in patient care documentation. A hospital employee described the situation as causing a "trove of complications" at the facility. Despite these severe technical disruptions, RUMC maintained that it continued to offer full patient services, including admitting patients and providing emergency care, outpatient, inpatient, and surgical services. The hospital's emergency department remained operational throughout the incident.

In response to the attack, RUMC initiated proactive containment measures to prevent the further spread of the ransomware within its network. These actions, while necessary for security, contributed to the ongoing network outage. A hospital spokesman, Alex Lutz, stated that as a result of these containment efforts, disruptions to clinical care had been limited with one significant exception: overnight trauma and stroke services were impacted. This specific service disruption indicates that the ransomware attack affected critical systems necessary for providing these time-sensitive medical interventions, potentially forcing delays or rerouting of patients requiring such specialized care during overnight hours.

The hospital’s response extended beyond immediate containment. RUMC engaged an outside, third-party cybersecurity firm to assist with two parallel efforts: investigating the full scope and cause of the attack and working to restore full functionality to the hospital's systems. The investigation aimed to determine the extent of the breach and whether any patient or hospital information was compromised. As of the latest reports, this investigation was ongoing, and the hospital stated it was not yet clear what specific data, if any, had been accessed or exfiltrated by the threat actors. It remained publicly unclear whether the attackers had issued a specific ransom demand to RUMC or if the hospital had any intention of paying such a ransom.

The recovery process was ongoing for at least a week after the full outage took hold. The hospital recovery team worked to bring systems back online to achieve full operational status. The duration of the outage, stretching over multiple days, underscores the severity of the attack and the complexity involved in restoring a healthcare network's myriad of interconnected systems safely and securely without compromising patient data or care standards. The incident placed RUMC within a broader context of cyberattacks targeting the healthcare sector in the spring of 2023. It was noted as the second U.S. hospital to report ransomware-related outages within a two-week period, following an attack on Murfreesboro Medical Clinic & SurgiCenter (MMC) in Tennessee, which began around April 22, 2023.

A comparison of the two incidents highlights that while severe, the operational impacts at RUMC were assessed as less severe than those experienced by MMC. The Tennessee provider had been forced to close all operations completely for two weeks, causing widespread patient care disruptions, including an inability to refill prescriptions and missed routine appointments. In contrast, RUMC managed to keep its doors open and continue providing the majority of its services, albeit with significantly degraded internal efficiency and manual workarounds. The attack on RUMC also occurred amidst a wave of other significant cyber incidents affecting global health sector entities, including Aspen Dental, Cornwall Community Hospital in Ontario, German health IT vendor Bitmarck, and insurer Point32Health and its subsidiary Harvard Pilgrim Health Care. These simultaneous attacks demonstrate the widespread and persistent threat ransomware poses to healthcare infrastructure globally.

The incident at Richmond University Medical Center exemplifies the real-world consequences of cyberattacks on critical infrastructure like hospitals. While patient care was largely maintained, the attack forced the institution into a state of degraded operations, relying on manual processes that are slower and more prone to error than automated digital systems. The need for nurses to individually monitor patients rather than utilizing centralized electronic monitoring systems represents a significant step backward in clinical efficiency and safety protocols. The ongoing investigation into the potential compromise of patient information also leaves a lingering concern for both the hospital and the individuals it serves, with the full scope of the data impact potentially unknown for some time. The event serves as a factual case study in how ransomware attacks can disrupt healthcare delivery, necessitating a complex and lengthy response and recovery process even when full facility closures are avoided.