HSHS chief executive confirms system-wide outage was caused by 'cybersecurity incident'
Springfield-based Hospital Sisters Health System president and chief executive officer Damond W. Boatwright on Friday acknowledged that a system-wide outage was due to a "cybersecurity incident."
Boatwright made the announcement in a video posted to a dedicated HSHS "updates" page set up earlier in the week.
HSHS is receiving assistance from "third-party experts and is working with law enforcement," Boatwright said.
On Sunday, an HSHS spokesperson confirmed to The State Journal-Register that "federal agencies" were now involved in the investigation.
Rebecca Cramblit, a Public Affairs Officer for the FBI Springfield, said "per FBI policy, we cannot confirm or deny whether we are or are not conducting an investigation. This policy protects the integrity of the investigation as well as any associated victims and the judicial process."
According to a post, the FBI is the lead federal agency for investigating cybersecurity attacks.
The investigation into "the scope and impact of the incident is ongoing," Boatwright said.
The outage struck the nonprofit Catholic health system's clinical and administrative applications and phones and internet across Illinois and Wisconsin, where it operates 15 hospitals and a number of other clinics. Those include HSHS St. John's Hospital and Prairie Cardiovascular in Springfield, along with a number of other clinics, and HSHS St. Francis Hospital in Litchfield.
The outage also has hit Prevea Health, which partners with six HSHS hospitals in Wisconsin.
Boatwright appeared on a Zoom call with Dr. Ashok Rai, President and CEO of Prevea Health, also on Friday.
HSHS said it was made aware about the situation Sunday when it first posted about the incident.
Boatwright said workers are bringing back critical systems, including email and messaging.
"Our (information technology) colleagues, along with our outside experts, are working nonstop to fully restore our remaining offline hospital systems as quickly as possible so we can return to normal operations," noted Boatwright, who took over the top spot at HSHS a little over two years ago.
More: Labor Day 2023: How Springfield Clinic is addressing the healthcare worker shortage
Workers have deployed additional security measures "to safeguard our systems and we have not detected any further unauthorized access in our IT environment," he said.
While the health system will share more information "as we are able," Boatwright stressed that there will be information "we won't be able to share publicly and that is so we can protect the security of the systems and the privacy of the patients and the communities we serve."
Earlier, Curt Esser, an Appleton, Wisconsin-based computer consultant, told The State Journal-Register earlier that hospitals have become "high-valued targets. It's extremely concerning."
HSHS officials did not respond questions from the SJ-R earlier this week about patient or employee records or other confidential system data being potentially compromised.
"It's stressful for all the stakeholders involved," Esser added. "There's a lot of things at risk here.
"There's one thing you have to remember. The bad guys have to find just one hole, one unpatched system, something. The good guys have to handle everything properly, have to be 100% and that's nearly impossible."
From 2016 to 2021, the number of ransomware attacks on hospital and health systems more than doubled from 43 to 91, according to the Journal of the American Medical Association (JAMA). More than one-third of those attacks led to operations disruptions of more than two weeks.
Last month, Prospect Medical Holdings, which is based in California and has hospitals and clinics there and in Texas, Connecticut, Rhode Island and Pennsylvania, was the target of a cybersecurity attack.
According to IBM's "Cost of A Data Breach Report," the average costs of a studied breach in healthcare reached nearly $11 million in 2023–a 53% increase since 2020.
Ken Pacha, who does independent IT work and is a mass media professional in Springfield, said cybersecurity is probably "the biggest concern" for companies.
Pacha, who said he is not familiar with the IT setup at HSHS, said workers now are most likely "essentially going top to bottom" to make sure attackers haven't built backdoors or placed odd code somewhere that might allow them access or scriptwriting abilities.
"They're ensuring the way (the attackers) got in is not there anymore," Pacha said. "They're essentially cleaning the code, cleaning through everything and ensuring those things are not still present."
Earlier in the week, Jennifer Snopko, a spokeswoman for HSHS St. John's, said patients should keep in-person appointments unless directed otherwise.
Anne Davis, a Communication Consultant with Memorial Health, would not comment on how the Springfield group is helping or assisting HSHS in the wake of the outage.
On Friday, HSHS Medical Group posted a message alerting people to possible payment scams.
Springfield-area director of public health retiring at the end of September
The physicians group affiliated with the health system said it had been informed that people were receiving emails, texts and phone calls from sources "claiming to be HSHS representatives seeking payment for services.
"At this time, we are not collecting payments from any patients for outstanding bills," the post read. "We will notify you when billing processes are back up and running."
Kelly Barbeau, an HSHS Illinois Marketing & Communications Director, said it wouldn't provide any additional information other than what is in the video and on the website.
Contact Steven Spearie: 217-622-1788; sspearie@sj-r.com; X, twitter.com/@StevenSpearie.
This article originally appeared on State Journal-Register: HSHS executive confirms system outage caused by cyber breach
