Cyber Incident Victim: Stillwater Medical Center
Date:
Jun 2021
Location:
United States of America
Summary
Stillwater Medical Center experienced a ransomware attack that forced electronic health record downtime and disrupted operations across its care facilities. The incident caused widespread system outages, including phone services, online patient portals, mobile applications, and email systems, leading to intermittent communications and some appointment cancellations. IT teams secured the environment, engaged law enforcement and forensic experts, and worked to restore services while maintaining patient care through manual processes. The attack mirrored recent healthcare ransomware incidents involving prolonged EHR disruptions, operational challenges with medication verification and lab result delays, and reliance on alternative documentation methods during recovery efforts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Stillwater Medical Center, a health system operating multiple care sites, hospitals, and clinics across Oklahoma, experienced a ransomware attack on June 13, 2021. The incident forced the organization into electronic health record (EHR) downtime procedures as it worked to restore affected systems. Upon detecting the attack, Stillwater's IT team immediately implemented security measures to protect the environment and initiated an investigation with assistance from law enforcement and a computer forensic firm. Critical operational disruptions emerged rapidly, including widespread failure of phone systems that compelled the hospital to advise patients to contact emergency services via 911 for urgent needs. Digital patient services were severely impacted, with the online patient portal, mobile application, and email systems becoming inaccessible. Clinical operations continued under modified protocols, though the hospital canceled certain appointments with plans to reschedule them once systems stabilized.
By June 15, two days after the initial attack, phone services remained intermittently functional across Stillwater's network, hampering communication between patients, providers, and facilities. The health system maintained care delivery through manual workarounds consistent with EHR downtime procedures, though the scope and duration of cancellations were not fully detailed in public updates. No specific patient safety incidents or data breaches were disclosed in available reports. Recovery efforts focused on restoring core clinical and administrative systems, with forensic investigators working to determine the attack's origin and propagation method. The incident occurred amid a broader surge in ransomware targeting healthcare providers globally, though Stillwater's communications did not attribute the attack to any specific threat actor or confirm whether data exfiltration occurred. Operational challenges persisted as the organization prioritized system restoration while managing clinical workflows through alternative processes.