Scripps Health still grappling with impact of May 1 ransomware attack

The hospital chain has been forced to reschedule operations and is working to bring its electronic health record systems back online.

ransomwareistock-684726904vchal.jpg

Getty Images/iStockphoto

A May 1 ransomware attack against California hospital chain Scripps Health continues to impact both the organization and its patients almost a month later. On Monday, Scripps Health published an FAQ with new details about the attack as well as directions for affected patients. In its update, the organization acknowledged a cybersecurity incident on May 1 that disrupted its IT systems at hospitals and other facilities. But there’s more to the story.

SEE: Ransomware: What IT pros need to know (free PDF) (TechRepublic)

More about cybersecurity

Previously hesitant to reveal too much information about the attack, Scripps acknowledged that the incident did involve ransomware, confirming what the California Department of Public Health had said on May 7, according to NBC San Diego News.

In response, the hospital chain said that it attempted to contain the malware by taking a large portion of its network offline. It also reported the attack to federal authorities, who have been conducting an investigation. IT staffers and external consultants have been working to restore its affected systems, which includes the use of backups.

In a letter directed toward Scripps patients, president and CEO Chris Van Gorder explained why the organization hasn’t provide more frequent updates. Sharing too many details about its efforts could have put Scripps at risk of additional attacks, preventing it from restoring its systems safely and quickly, Van Gorder said. Already, attackers have used whatever information has been publicly reported to target the organization with scam messages.

Stating that there is no there is no “easy button” toward restoring the affected systems, Van Gorder said that the chain’s electronic health record system should be back online during the latter half of this week. The inaccessibility of the patient portal has kept patients from logging into their MyScripps accounts to check their healthcare information.

But the biggest impact of the attack and the outage may be on medical appointments and procedures. Scripps said that it’s currently contacting patients to reschedule surgeries, infusions, imaging, lab tests and other services that had been postponed. The chain is also trying to catch up with phone messages from people who need to set up appointments.

In the meantime, Scripps is relying on other organizations for help while its systems are being restored. Network partner Imaging Healthcare Specialists is scheduling imaging appointments for patients whose exams were canceled. Quest Diagnostics and Labcorp are providing lab services.

With a ransomware attack against a hospital comes the fear of confidential patient data being leaked. Scripps said that an investigation to determine whether any patient records were affected is still ongoing. Beyond the potential impact on patient data, questions remain as to who is behind the attack and why they targeted Scripps.

“To date, we have not seen evidence of any of the usual ransomware groups taking credit for the attack or threats to post data, which has been a hallmark for groups using the extortion angle lately,” according to Sean Nikkel, senior cyber threat intel analyst at Digital Shadows.

“Some ransomware operators recently made announcements about specifically not attacking healthcare,” Nikkel added. “It’s realistically possible that this was more of a target-of-opportunity for a ransomware attack or didn’t involve groups that talk about it publicly. Without knowing the details about attack indicators or how Scripps’ infrastructure was protected, it would be hard to say how or why they were specifically attacked.”

One cybersecurity analyst spotted similarities between the Scripps attack and another incident against a healthcare system.

“There is strong correlation between the Ireland’s health system attack and the Scripps attack because of the type of ransomware that was executed–Conti,” said Matt Klein, cyber executive adviser at Coalfire. “The Conti ransomware operation first appeared in May 2020 and is believed to be under the control of the Russia-based Wizard Spider cybercrime gang. Scripps was most likely targeted because of the level of revenue generated by their health system, which would lead an attacker to believe the chance for payment would be much greater.”

But Scripps may have been able to identity and mitigate the ransomware attack before it did any real damage.

“It seems possible that Scripps was able to detect the malware before any encryption attempt was started and decided to turn the IT systems off to prevent that from happening,” said Dirk Schrader, global vice president of security research at New Net Technologies.

“With some additional speculation, there are some potential reasons why Scripps is tight-lipped about the incident,” Schrader added. “One can be a request by authorities as they see this as an opportunity to dig deep into the forensics of an attack discovered rather early than late. Another one can be that the research done by Scripps and the related contractual obligations mandate such behavior.”

Also see