Scripps Health network still down, 2 weeks after cyberattack
Photo by Christina Morillo from Pexels
More than two weeks after a cyberattack led to a network outage at Scripps Health, the San Diego-based health system is still fighting to get back online.
After detecting the security incident on May 1, Scripps Health suspended user access to its IT applications, including its online patient portal and scripps.org. As of Monday, the website continues to display an error message.
"We apologize for any inconvenience and are working diligently to restore our systems as quickly and as safely as possible," read a statement posted to the system's Facebook page on May 12.
Scripps has been largely tight-lipped about the details of the attack, with CEO and President Chris Van Gorder describing it in a May 10 internal memo as a cybersecurity incident "with malware placed on our information system."
"I want you to know this is a different kind of situation which limits what and when I can say things. We need to let our investigation proceed and work with our consultants and outside governmental agencies, and when I can share, I will," Van Gorder wrote in the memo.
"I do want you to know that this malware attack targeted our information systems. At this time, we have no reason to believe individual data incidents affecting employees, physicians or patients are related to our current incident," he added.
Independent sources have told local outlets the incident involved ransomware. Experts speculate that's related to why the network outage is ongoing.
"It’s likely that it’s taking a long time because of negotiations going on with the perpetrators, and the prevailing narrative is that they have the contents of the electronic health records system that are being used for 'double extortion,'" said Michael Hamilton, former chief information security officer for the city of Seattle and CISO of healthcare cybersecurity firm CI Security.
"As the disclosure of these records would cause more financial harm to Scripps, these negotiations are likely being carried out carefully to minimize additional damage to the organization as well as the cost of returning to full operation," Hamilton continued. "There is also an ongoing investigation, which permits Scripps to embargo information right now."
Scripps Health did not respond to email requests for comment. Attempts to contact the health system via phone were unsuccessful.
In the May 12 Facebook post, Scripps reminded patients that all its locations – including its hospitals, urgent cares, emergency departments, Scripps HealthExpress, Scripps Clinic and Scripps Coastal – are open and continuing to provide care. Virtual visits are still taking place, and Scripps has partnered with Labcorp and Quest Diagnostics to help provide laboratory systems.
The post also directed patients to mail requests for medical records to the system's Release of Information Department via a P.O. box in Encinitas, California.
"Patients or families with questions should contact 1-800-SCRIPPS," read the post.
A significant attack in Ireland
Meanwhile, Ireland's health service IT system was hit with a ransomware attack on May 14, leading to a precautionary shutdown of the network.
As of Monday, disruptions were still ongoing to patient care, with most radiology services canceled along with outpatient appointments at many hospitals.
Clinical laboratory capacity was also dramatically reduced.
The Health Service Executive said this past week that it believed the attack had been carried out by international criminals attempting to extort money.
The country's Taoiseach, or prime minister, said that Ireland would not be paying any ransom.
Cybersecurity expert Michael Hamilton said a number of factors leave the health industry vulnerable to cyberattacks.
"Hospitals and clinics are known to use legacy technology and operating systems, as manufacturers only infrequently certify their products for use with upgraded technology," he said.
"The health sector has recently implemented new technology to facilitate telehealth and work from home for employees; both these have increased the 'attack surface' of the sector, and these exposures have been exploited," he added.
"The health sector also operates on thin margins, and resourcing security is difficult to prioritize. The health sector – especially rural health – cannot compete for professional practitioners as salaries cannot match what is being paid in other sectors," said Hamilton.
Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Email: kjercich@himss.org
Healthcare IT News is a HIMSS Media publication.