A cyber-attack has shut down emergency rooms in at least three states, a hospital operator warned on Monday, forcing the organization to divert patients to other facilities.
Ardent Health, which oversees 30 hospitals in states across the US, including New Mexico, Texas and Oklahoma, said it had been targeted by a ransomware attack over the Thanksgiving holiday. The attack had shut down a significant number of its computerized services, the company said in a news release.
“In an abundance of caution, our facilities are rescheduling some non-emergent, elective procedures and diverting some emergency room patients to other area hospitals until systems are back online,” Ardent Health’s release said.
Each of the affected Ardent hospital chains – Hillcrest HealthCare in Oklahoma, Lovelace Health in New Mexico, and UT Health in Texas – said that some of their emergency rooms were transferring patients to other hospitals.
The hospital operator said the cyber-attack has affected computer programs that track patients’ healthcare records, among others.
In its statement, Ardent said the ransomware attack had taken its network offline. The company said it reported the issue to law enforcement as well as retained third-party forensic and threat intelligence advisers.
“At this time, we cannot confirm the extent of any patient health or financial data that has been compromised,” Ardent said.
Ransomware attacks that disrupt healthcare providers’ operations are becoming increasingly common. Brett Callow, an analyst at the cybersecurity company Emsisoft, told NBC News that there had been at least 35 in US this year.
Attacks commonly occur over holiday periods when hackers believe there are fewer security staff on duty. Law-enforcement officials, including the FBI, advise victims of ransomware attacks to not agree to ransom demands.
“We need victims not to pay the ransom because that’s the gasoline that’s pouring on the fire,” the FBI director, Christopher Wray, said in February this year. “The more people pay, the price goes up and the more victims there are. So we have a shared common interest in not having the ransoms get paid.”
The targeting of hospitals – and demands for extortion payments – began in 2016, according to the cybersecurity firm Recorded Future. The ransomware analyst Allan Liska told NBC in June that there had been at least 300 documented attacks a year on healthcare facilities since 2020.
In June, St Margaret’s Health in Spring Valley, Illinois, was forced to close, partly as a result of an attack.
Ardent is believed to be the largest health operator to be hit so far. While there are no cases of patients dying as a result of an attack, studies had shown that there is a link between ransomware attacks on hospitals and increased mortality rates, according to NBC.
Ardent, which started out running psychiatric hospitals, said that patient care continued to be delivered “safely and effectively in its hospitals, emergency rooms, and clinics”. But out of “an abundance of caution”, the company said, it was rescheduling some non-emergent, elective procedures and diverting some emergency room patients to other area hospitals until systems are back online.
“Ardent is still determining the full impact of this event and it is too soon to know how long this will take or what data may be involved in this incident,” the company added.