A Thanksgiving turkey for hospitals: multiple cyber and ransomware attacks

IT incidents were on the Thanksgiving menu at many US hospitals. It was no holiday for the hospitals experiencing attacks and outages, forcing ERs to divert to other hospitals and resort to downtime procedures. The hospitals reporting them are part of Ardent Health Services, a 30-hospital operator. Ransomware has been reported for some as the cause. Not all Ardent hospitals have been reported as affected.

A rundown of what was attacked, and where:

  • The 10-hospital UT Health East Texas (Tyler, Texas) network reverted to downtime procedures after a security incident, outage, and locked down its systems. Ambulances heading to its ERs were diverted to other hospitals.
  • Lovelace Health System in Albuquerque, New Mexico, affecting six hospitals, 33 health care clinics and seven outpatient therapy clinics. 
  • BSA Health System in Amarillo, Texas 
  • The University of Kansas Health System St. Francis Campus in Topeka 
  • Hillcrest HealthCare System (Tulsa, Oklahoma) 
  • Closer to this Editor’s home, two Hackensack Meridian hospitals in New Jersey served by Ardent were ransomwared starting on Thanksgiving: Pascack Valley in Westwood and Mountainside Medical Center in Montclair. Local reports indicated a ransomware attack. The outage continued through the weekend. Other Hackensack Meridian hospitals are not served by Ardent and were not affected.

Ardent has reported this to law enforcement and in their release, stated they are still determining the full impact of the event, though working with partners to restore access to electronic medical records and operations. 

In addition to the Ardent hospitals, on Thursday the six-hospital Vanderbilt University Medical Center (Nashville, Tennessee) reported a cyberattack that compromised a database and was contained. Ransomwareistas Meow claimed that their information was leaked on the dark web. VUMC is not confirming a ransomware attack and stated that the “compromised database did not contain personal or protected information about patients or employees.”

Becker’s 27 Nov, 27 Nov (Hackensack), Asbury Park Press, News12NJ, Ardent Health release, The Record

News roundup: Proteus may be no-teous, DOJ leads on Google-Fitbit, HHS’ mud fight, Leeds leading in health tech, malware miseries, comings and goings

Proteus stumbles hard, cuts back. The original ‘tattle-tale pill’ company, Proteus Digital Health, plans to lay off 292 people in the San Francisco Bay Area and to permanently close its three Redwood City and Hayward locations, starting 18 January, according to notices sent to California state and local offices, including the state employment development department. It is unclear where Proteus will be located after the closures.

This followed after Proteus failed to launch a twelfth funding round of $100 million. According to reports, they furloughed most of their employees for two weeks in November and are reorganizing. This is after a substantial number of investors have put in about $487M in funding through a Series H (Crunchbase), including a game-changing investment by Novartis dating back to 2010.  Proteus achieved unicorn status about three years ago, but its high-priced pill tracking technology with a pill sensor tracked by a skin-worn monitor reporting into a smartphone has a built-in limited market to expensive medication. Otsuka Pharmaceutical in 2017 partnered with Proteus for an FDA-cleared digital medicine system called Abilify MyCite that basically put an off-patent behavioral drug back into a more expensive tracking methodology. But Proteus remains a great idea on tracking compliance in search of a real market, and may not have much of a future. San Jose Mercury News, CNBC

But ingestible detectable pills are still being tested. On Monday, as Proteus’ bad news broke, eTectRx announced its FDA clearance of the ID-Cap System and its testing at Brigham and Women’s Hospital and Fenway Health, focusing on HIV medication when used for treatment and prevention. Release, HISTalk

Department of Justice taking the lead on scrutinizing Google’s Fitbit acquisition. The Federal Trade Commission also sought jurisdiction over the transaction. According to the New York Post, “both agencies are concerned that a Google-owned Fitbit would give the search giant an even bigger window into people’s private data, including sensitive health information, sources said. Under the Hart-Scott-Rodino Act, all large mergers must file proposals with both the DOJ and the FTC, but only one antitrust agency reviews the merger.”

Coal from stockings being thrown about at HHS. According to POLITICO and the New York Times, the disagreements between Seema Verma, the head of the Centers for Medicare and Medicaid Services (CMS), and the Cabinet-level Secretary of Health and Human Services (HHS), Alex Azar, have boiled over, enough to have to be settled by the President’s acting chief of staff, Mick Mulvaney. According to the Times, both President Trump and VP Mike Pence have told them to find a way to work together. Both are administration appointees, but President Trump has not been reluctant to cut a mis-performing or overly contrary appointee loose. The latest salvo from those obviously not on Ms. Verma’s side was the revelation that she requested compensation for jewelry stolen on a business trip, contrary to government policy of course. She was compensated for other items which is standard. (Isn’t that what homeowners’ insurance is for? And what sensible person actually travels with valuable jewelry?) Under Ms. Verma, CMS has been quite progressive in developing new business models in Medicare fee-for-service, moving providers to two-sided risk, and innovating in both Medicare and Medicaid. It will either be settled, or one or both will be gone. Pass the popcorn.

Leeds picks up another health tech company. Mindwave Ventures is opening an office there, as well as appointing Dr Victoria Betton and Dr Janak Gunatilleke to the roles of chief innovation officer and chief operating officer. Mindwave develops technologies around digital products and services in healthcare and health research. Leeds reportedly is home to over 250 health tech companies and holds an annual Leeds Digital Festival in the spring [TTA 11 April].

Ransomware attack hits Hackensack Meridian. Systems were down for about a week. While this large New Jersey health system hasn’t admitted it, sources told the Asbury Park Press that it was ransomware. And if it’s not ransomware, its Emotet and Trickbot. Read ZDNet and be very apprehensive for 2020, indeed, as apparently healthcare is just one big target.

Comings and Goings: There may be some end of year bombshells, but after last week’s big news about John Halamka, it’s been fairly quiet. Paul Walker, whom this Editor knew at New York eHealth Collaborative, has joined CommonWell Health Alliance as executive director. Mr. Walker was most recently Philips Interoperability Solutions’ vice president of strategy and business development. CommonWell’s goal is improving healthcare interoperability and its services are used by more than 15,000 care provider sites nationwide. Blog release, Healthcare Innovation ….Dr. Jacqueline Shreibati, the chief medical officer for AliveCor, is joining Google Health in the health research area. Mum’s the word when it comes to Fitbit (see above). CNBC ….Peter Knight has pleaded guilty to falsifying educational credentials to gain his position as chief information and digital office at Oxford University Hospitals NHS Foundation Trust. He held that position from August 2016 until September 2018. BBC News