Ascension Health Targets June 14 for System-wide EHR Restoration after Ransomware Attack

The cyberattack disrupted operations across its 140 hospitals and other facilities. Ascension has been working tirelessly to restore its electronic health records (EHR) and expects complete restoration by June 14.

Claimed to be one of the biggest ransomware attacks in the USA, Ascension Health, leading non-profit healthcare systems in the country, has announced plans to restore its electronic health records (EHR) by June 14th.

The cyberattack disrupted operations across its 140 hospitals and other facilities. 

Reportedly, Ascension has been working to restore its EHR and expects complete restoration by June 14.

On Tuesday, Ascension reported successfully restoring EHR access in Florida, Alabama, and Austin, Texas. The non-profit stated, "Once the EHR restoration is complete, clinicians can access and use patients' health records as before the incident."

The organization has prioritized EHR restoration throughout the incident. "While these are promising developments in our recovery efforts, our investigation into this incident remains ongoing, along with the remediation of additional systems," Ascension noted. 

However, the healthcare organization noted the complexity of the process, indicating that it would take more time to complete.

Operational Impact & Legal Challenges

Despite the cyberattack, all 140 hospitals and other locations remained open and provided care. Ascension also reopened its retail, home delivery, and specialty pharmacy sites. 

"This means that healthcare providers can transmit prescriptions electronically and send prescriptions to Ascension Rx pharmacies for their patients," the organization stated.

However, the attack has already led to legal challenges. Just under a week after the ransomware attack, Ascension faced patient class action lawsuits. 

One lawsuit, filed on May 13 in Texas, came from a patient at Ascension Seaton Hospital in Round Rock. Another, filed on May 14 in Illinois, was brought by a longtime patient of Ascension Saint Mary in Chicago. 

Both plaintiffs are represented by the Chicago-based Law Offices of T J Jesky claim that Ascension's failure to implement adequate cybersecurity measures exposed private information. The complainants describe the incident as "foreseeable and preventable."

Ascension has not yet disclosed whether patients' sensitive information was compromised. 

In a statement, the organization said, "If we determine sensitive data was potentially exfiltrated or accessed as part of this incident, we will notify applicable individuals and parties under our obligations."

Ongoing Investigation

The attack was first detected on May 8, prompting Ascension to activate its remediation processes immediately. The organization hired Mandiant, a third-party cybersecurity firm, to assist with the investigation. Ascension also notified law enforcement and other government bodies, including the FBI and the Cybersecurity and Infrastructure Security Agency (CISA).

In an update, Ascension stated, "We remain in close contact with the FBI and CISA, and we are sharing relevant threat intelligence with the Health Information Sharing and Analysis Center (H-ISAC) so that our industry partners and peers can take steps to protect themselves from similar incidents."

During the downtime, Ascension's clinical operations were significantly impacted. Clinicians resorted to paper records, and some emergency services were diverted. Despite these challenges, the organization ensured that care delivery remained safe. 

An Ascension spokesperson noted, "Patients should bring to their appointment notes on their symptoms, as well as a list of current medications and prescription numbers or the prescription bottles, so their care team can call in medication needs to pharmacies."

Ascension also had several hospitals on diversion for emergency medical services and temporarily paused some non-emergent elective procedures and tests.

"We understand the frustration this may cause and sincerely regret any inconvenience to our patients," the spokesperson added.

Ascension, headquartered in St Louis, runs 140 hospitals and 40 senior living facilities across 19 states. The organization employs about 132,000 people and reported over $28 billion in revenue during its most recent fiscal year. 

Fitch Ratings commented on Ascension's strong financial position despite the cyberattack, stating that it provides a "significant rating cushion" for such events.