Six days after announcing a cyberattack on its computer systems and electronic health record software, Appalachian Regional Healthcare (ARH) in eastern Kentucky and southern West Virginia is still unsure the source of the problem — and whether or not any patient data was breached.

While all ARH Emergency Departments are continuing to accept patients, the question remains how long a health system can operate under emergency conditions.

West Virginia requires healthcare institutions to notify patients when their data is compromised, but after nearly a week the health system has yet to issue such notifications, according to WOAY-TV.

[Also: Data encryption will 'victimize' tech vendors, FBI Director James Comey says]

“Patients have a right to privacy and hospitals must have a policy regarding the security of their medical records and that it is the responsibility of the compromised hospital to take action and make the required notifications," ARH’s Director of Communications Alison Adler said in a statement.

Since the breach, ARH, which runs Beckley Appalachian Regional Hospital and Summers County Appalachian Regional Hospital, shut down all computers to prevent the further spread of the virus that struck its web-based services and electronic communications.

As a result, the health system has resorted to pencil and paper.

As of Thursday, all systems are still down, including patient care, registration, medication, imaging and laboratory services. Further, according to the ARH website, “all critical patients are being assessed to determine if they should be transferred to another medical facility for care.”

What’s more, the hospital said its “staff is working hard to continue to provide the same level of quality healthcare to our patients while we recover from this cyberattack.”

For now, ARH has apologized for the inconvenience of computer systems being out of service. Patients are feeling left in the dark, meanwhile, about the status of their data, bank information, Social Security numbers, date of birth and medical information.

ARH explained that it has no reason to believe patient health data or financial information has been accessed during this attack — but as is the case with many health data breaches its very difficult to make a certain judgement about what has or has not happened to the data before actually knowing the nature of the virus or attack that brought down its network.

Sign up for the Healthcare IT News Privacy & Security Update newsletter.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com

Like Healthcare IT News on Facebook and LinkedIn