TACOMA — Virginia Mason Franciscan Health acknowledged the frustrations of its staff and patients Wednesday as its computer networks remained offline for a third day following an IT security incident.
But the health care system’s parent company, CommonSpirit Health, with hospitals and clinics across the nation, including in the Puget Sound region, offered no new information about what caused the outage or when it might be fixed.
VMFH locations continued to work Wednesday without online access to patient records and more. The health system’s MyChart online access for patients also remained offline for a third day.
The computer network outage was first announced by the health system Monday.
VMFH, in a statement sent to The News Tribune on Wednesday evening, said: “Virginia Mason Franciscan Health is committed to ensuring patient safety and continues to prioritize patients with the most urgent medical conditions. Our hospitals remain open and we encourage anyone experiencing an emergency to seek medical attention immediately.”
It added, “We recognize this is a frustrating time for our patients and staff and appreciate everyone’s patience as we work around the clock to resolve this issue as quickly as possible. We can’t thank our heroic staff enough for their hard work and dedication to continue caring for our patients during this difficult time.”
An “IT security incident” involving VMFH parent company CommonSpirit Health has affected sites in multiple states, with CHI properties reporting networks down in North Dakota, Nebraska, Tennessee, Texas and Iowa, according to news coverage in those states.
Two VMFH health care employees told The News Tribune that workers on Tuesday were given the same message as Monday: “All VMFH facilities except for VM are currently using downtime procedures with no ETA on resolution. Please be prepared to utilize manual process for documentation, orders and census management … IT support is on site.”
A sign taped on the door outside St. Anthony Hospital emergency department in Gig Harbor warned patients that as a result of the offline computer network, “you may experience longer than normal wait times.”
“What (the sign) doesn’t say is that doctors, nurses, everyone, has zero access to any past medical history (notes, labs, heart studies, lung function tests, etc.),” said an employee, who asked to remain anonymous for fear of retribution.
A media representative for the state Department of Health on Wednesday told The News Tribune he was unaware of any complaints filed with the state regarding elective surgery decisions at VMFH sites during the outage.
EARLIER WARNING AND PAST BREACHES
Neither CommonSpirit Health nor VMFH have offered any more details since Monday as to the source of the incident or whether it was a possible cyber attack involving ransomware.
In July, a multi-federal agency advisory warned of “Maui ransomware, which has been used by North Korean state-sponsored cyber actors since at least May 2021 to target Healthcare and Public Health (HPH) Sector organizations.”
It stated: “Since May 2021, the FBI has observed and responded to multiple Maui ransomware incidents at HPH Sector organizations. North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services — including electronic health records services, diagnostics services, imaging services, and intranet services.”
It added: “In some cases, these incidents disrupted the services provided by the targeted HPH Sector organizations for prolonged periods. The initial access vector(s) for these incidents is unknown.”
The advisory “highly” discouraged any payment of ransom “as doing so does not guarantee files and records will be recovered and may pose sanctions risks.”
Tacoma-based CHI Franciscan, which now operates as part of the Chicago-based CommonSpirit Health network, has suffered previous data breaches:
— In 2014, a phishing scam targeted its email network, exposing some patient clinical information, along with some patients’ Social Security numbers. In that case, hackers obtained user names and email passwords of about 20 Franciscan Health System staff members by sending them an email message purportedly from Catholic Health Initiatives, Franciscan’s parent company at the time. The scheme targeted CHI health workers nationwide.
— In 2016, the health system reported that a stolen laptop contained information on more than 12,000 current and former patients of CHI Franciscan Health Hospice. The laptop was in a backpack that also contained a day planner with the employee’s username and password.
HiPAA Journal, which tracks health systems’ compliance with the Health Insurance Portability and Accountability Act, noted in a roundup of U.S. health care cyberattacks through June that 2021 saw more data breaches reported “than any other year since records first started being published by the U.S. Health and Human Services’ Office of Civil Rights.”
“In 2021, an average of 1.95 healthcare data breaches of 500 or more records were reported each day,” according to the report, which estimated the number of records stolen or improperly exposed or disclosed between 2009 and 2021 equates to “more than 94.63 percent of the 2021 population of the United States.”
It noted records encryption and better security practices have helped guard against such data theft.
“Our healthcare data breach statistics show the main causes of healthcare data breaches are now hacking/IT incidents, with unauthorized access/disclosure incidents also commonplace,” it stated.
FINANCIAL STRAIN ALREADY AFFECTING SYSTEM
CommonSpirit Health formed in 2019 through alignment of Catholic Health Initiatives and Dignity Health. It has become one of the largest nonprofit health systems in the United States, with more than 1,000 care sites in 21 states, serving 20 million patients, according to its website.
Virginia Mason Franciscan Health completed the merger of their Seattle and Tacoma-based health systems in January 2021.
VMFH hospitals in the Puget Sound area include St. Clare in Lakewood; St. Joseph and CHI Franciscan Rehabilitation Hospital, both in Tacoma; St. Elizabeth in Enumclaw; St. Anthony in Gig Harbor; St. Michael in Silverdale; Virginia Mason Hospital and Seattle Medical Center in Seattle; St. Anne in Burien; and St. Francis in Federal Way.
The current cyber security event comes the same week the Washington State Hospital Association warned of vast financial losses being experienced at hospitals statewide.
Losses for the hospitals totaled approximately $1.75 billion in the first six months of 2022, a rate WSHA President and CEO Cassie Sauer and other hospital officials speaking Tuesday emphasized was “unsustainable.”
The news followed similar dismal returns WSHA shared in July.
CommonSpirit Health in September reported an operating loss of $1.04 billion for fiscal year 2022 from its sites nationwide.
David Nosacka, chief financial officer of Virginia Mason Franciscan Health, told The News Tribune in a statement on Wednesday: “On par with other hospitals in the state, Virginia Mason Franciscan Health is experiencing significant financial losses due to various factors, including the rising cost of labor, loss of federal funding for COVID-19 patients and high patient volumes compounded by an increased number of patients waiting for guardianship to be established.”
He added: “As a health system, about 200 patients a day on average have their discharge delayed 24 hours or more due to post-acute care placement challenges and guardianship issues which impact our overall inpatient capacity. The net impact of all these challenges is staggering, and unsustainable for VMFH and other hospitals in the state.”
Nosacka said the system was working to “improve efficiency and effectiveness, as well as reduce our costs, so we can focus our resources in patient care areas.”