Cyber Incident Victim: University of Kansas Health System St. Francis Campus
Date:
Nov 2023
Location:
United States of America
Summary
A ransomware attack targeted Ardent Health Services, impacting the University of Kansas Health System St. Francis Campus and prompting emergency department diversions for stroke and neurosurgical patients to other facilities while allowing non-critical cases. The hospital maintained medical screening and stabilizing care but operated under a cautionary divert status as network systems, including clinical and financial operations, were taken offline. Ardent engaged law enforcement and third-party cybersecurity advisors to restore services, implementing additional IT security measures, though the extent of compromised patient data remained unconfirmed. The incident caused temporary disruptions across multiple states, leading to rescheduled elective procedures and selective emergency patient diversions until systems were reinstated.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On November 23, 2023, the University of Kansas Health System St. Francis Campus in Topeka implemented emergency patient diversions following a ransomware attack impacting its parent organization, Ardent Health Services. The attack occurred prior to November 20, prompting Ardent to proactively take its entire network offline—including corporate servers, internet access, clinical programs, and other critical applications—to contain the incident. By 8:30 a.m. on November 23, St. Francis Campus activated a cautionary divert protocol directing emergency medical services to transport stroke and neurosurgical patients to alternative emergency departments within the region. The hospital maintained capacity to conduct medical screening exams and deliver stabilizing care for walk-in emergency patients, while ambulances could still bring non-critical cases to the facility. Ardent publicly disclosed the cyberattack on November 20, confirming engagement with law enforcement and retention of third-party forensic and threat intelligence advisors to investigate the breach.
The network outage caused operational disruptions across Ardent’s 30 hospitals and 200+ care sites, forcing temporary suspension of clinical and financial systems. While Ardent implemented additional IT security measures and collaborated with cybersecurity partners to restore services, the organization could not immediately determine whether patient health or financial data was compromised during the intrusion. During recovery efforts, Ardent facilities rescheduled non-emergent elective procedures and diverted some emergency room patients to neighboring hospitals to mitigate risks associated with degraded IT capabilities. Hospital spokeswoman Debbie Cluck emphasized St. Francis Campus would continuously reassess its diversion status based on evolving system restoration progress and operational safety considerations. Patient care continued at all facilities through manual workarounds, with no reports of treatment compromises directly attributed to the cyberattack during the disruption period.