Cyber Incident Victim: University Medical Center
Date:
Sep 2024
Location:
United States of America
Summary
A ransomware attack targeted a West Texas Level 1 trauma center healthcare system, causing widespread IT outages that disrupted operations for six days. The incident forced the organization to proactively disconnect systems, impacting emergency patient intake, phone communications, and patient portal access while prompting diversions to other facilities. A separate regional academic health sciences center experienced concurrent IT outages, initially canceling classes and limiting clinical operations—though academic functions later resumed—while its patient portal and websites remained inaccessible. These disruptions increased patient volume at unaffected local hospitals, leading to extended emergency department wait times. Recovery efforts involved third-party collaboration, with partial service restoration achieved during the outage period.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On September 26, 2024, at 10 a.m., University Medical Center (UMC) in Lubbock, Texas, detected unusual activity within its IT systems, prompting an immediate investigation and proactive disconnection of systems to contain the incident. By September 27, UMC confirmed the activity was linked to a ransomware attack, which had encrypted files and rendered critical systems inoperable. As a Level 1 trauma center—the highest surgical capability designation and the only such facility in West Texas—UMC diverted incoming emergency and non-emergency patients to other healthcare facilities, including Covenant Health System, while implementing downtime procedures to maintain limited operations. The attack disrupted multiple systems, including phone lines and patient portal messaging, preventing communication with patients and forcing reliance on alternative protocols. UMC’s emergency centers and urgent care clinics remained open, but selective patient diversions continued as restoration efforts progressed. By September 30, partial service restoration allowed UMC to reopen its Emergency Center to ambulance-transported patients, though full operational recovery remained incomplete.
The attack’s ripple effects extended to Texas Tech University Health Sciences Center (TTUHSC), which reported an IT outage on September 29, though it did not confirm a connection to UMC’s incident. TTUHSC’s outage forced the cancellation of academic classes on September 30 and limited clinical operations across its campuses in Amarillo, the Permian Basin, Abilene, Dallas, and El Paso. Phone lines and online portals for Texas Tech Physicians clinics became nonfunctional, disrupting patient communication. While academic operations resumed by October 1, clinical services remained restricted into October 2, with public-facing websites still inaccessible. Covenant Health System, unaffected by the attacks, absorbed increased patient volume from UMC and TTUHSC, leading to eight-hour wait times at its main emergency department by September 30. Covenant advised the public to use alternative emergency centers and urgent care clinics for non-critical issues, such as minor injuries, infections, and lab services. UMC continued collaborating with third-party experts to investigate and restore systems, though recovery timelines and ransom details—consistent with industry averages of $4 million according to 2024 Sophos data—were undisclosed.