Universal Health Services (UHS), a hospital chain with over 400 locations in the United States and the United Kingdom, fell victim to an “information technology security incident,” e.g. a cyber attack, on Sept. 27, according to a statement released by the organization on Tuesday.
The attack is the largest of its kind on a medical facility in United States history, according to a report from NBC News. The company’s U.K. locations were not affected by the outage.
UHS may not be a household name, but has U.S. hospitals from Washington, D.C., to Fremont, California, and Orlando, Florida, to Anchorage, Alaska. Some of its facilities provide care for people coping with psychiatric conditions and substance abuse problems.
The widespread outage thrust hundreds of healthcare facilities across the U.S. into chaos Monday, with treatment impeded as doctors and nurses already burdened by the coronavirus pandemic were forced to rely on paper backup systems. The company “suspended user access to its information technology applications related to operations located in the United States,” a statement on the UHS website read.
“The company has implemented extensive information technology security protocols and is working diligently with its security partners to restore its information technology operations as quickly as possible,” a statement from UHS Chief Financial Officer Steve Filton read in part.
“In the meantime, while this matter may result in temporary disruptions to certain aspects of our clinical and financial operations, our acute care and behavioral health facilities are utilizing their established back-up processes including offline documentation methods. Patient care continues to be delivered safely and effectively,” the statement continued.
The company did not clarify what caused the outage. Fortunately, the company currently has “no evidence that patient or employee data was accessed, copied or misused.”
John Riggi, senior cybersecurity adviser to the American Hospital Association, called it a “suspected ransomware attack,” affirming reporting on the social media site Reddit by people identifying themselves as UHS employees.
UHS workers reached by The Associated Press at company facilities in Texas and Washington, D.C. described mad scrambles after the outage began overnight Sunday to render care, including longer emergency room waits and anxiety over determining which patients might be infected with the virus that causes COVID-19.
According to TechCrunch, an employee familiar with the situation said affected UHS computer screens displayed references to the “shadow universe,” indicating a connection to the infamous Ryuk ransomware attacks.
Sophisticated eCrime groups often employ Ryuk ransomware to target “large organizations for a high-ransom return,” according to cybersecurity technology company CrowdStrike. This methodology, known as “big game hunting,” has impacted organizations from the U.S. Coast Guard to Tribune Publishing Newspapers.
Earlier in the year, a number of ransomware operators including DoppelPaymer, Maze, and CLOP pledged not to target hospitals or nursing homes amid the coronavirus pandemic, according to a report from BleepingComputer. Notably, those behind the Ryuk ransomware were not among those who made the pledge.
The Associated Press contributed to this report.