MercyOne sites open but online scheduling canceled after national cyberattack

Michaela Ramm, Des Moines Register
·4 min read

All care locations in MercyOne Central Iowa's region, including Des Moines, remain open and are caring for patients even as the health system struggles with an unspecified IT security breach affecting its parent company, official said.

Iowa hospital officials have not said whether any patient appointments or procedures were postponed this week as a result of the "IT security incident" at parent company CommonSpirit Health, an apparent cyberattack that has disrupted hospitals throughout the U.S.

But MercyOne Central Iowa officials said Thursday patients can't schedule appointments online because of the problem. Instead, they should call to schedule an appointment at one of MercyOne's clinics.

"Patients can be assured that MercyOne is able to serve all health care needs with minimal disruption to normal operations," said MercyOne Spokesperson Marcy Peterson.

More:Valley West Mall set for auction as foreclosure approved by court

Beginning Monday, MercyOne facilities shut down some of its information technology systems, including its electronic medical records, because of the security incident. These systems were taken offline as "as a precautionary step" afterward, which appears to be affecting hospitals across the country.

Officials have been tight-lipped, offering no details on what occurred. It's unclear whether patient health information has been compromised, or how long systems will be taken offline.

Health care providers are required by law to notify the federal Department of Health and Human Services if a breach has compromised the private information of 500 or more patients.

Reports of cancelled appointments, delayed procedures following incident

Chicago-based CommonSpirit Health is the second largest nonprofit health care system in the country, operating more than 140 hospitals across 21 states.

It's unclear exactly how many of its sites are affected at this time, but the scope of the attack is broad, crippling facilities nationwide. The massive outage of its health record system has resulted in canceled appointments and delayed procedures in some areas, according a report from the Kitsap Sun in Washington state.

UnityPoint Health-Des Moines officials confirmed Iowa Methodist Medical Center received five ambulances Monday that were diverted during "the short period of time" MercyOne Des Moines Medical Center was sending patients elsewhere.

A TV outlet out of Tacoma, Washington, reported one patient had been scheduled to get a cancerous tumor on her tongue removed on Monday, but the procedure was put off several days due to the incident.

Another Washington couple told the Kitsap Sun anonymously that the husband had been denied a planned CT scan to check on a life-threatening brain bleed, and they have been unable to reschedule.

More:Iowa couple locked in legal battle to stop company from surveying their farm for carbon capture pipeline

CommonSpirit officials have not said how many patients have faced disruption to their health care, but they acknowledged some appointments have been rescheduled as a result.

"Patients will be contacted directly by their provider and/or care facility if their appointment is impacted," officials said in a statement Wednesday.

The Iowa-based MercyOne was jointly operated by CommonSpirit and Trinity Health until earlier this year, when Trinity signed an agreement to become the sole owner of the Catholic health system that operates throughout Iowa.

However, MercyOne systems continued to use CommonSpirit Health technology as officials prepared to integrate into Trinity.

Ransomware a growing threat to hospitals, expert says

CommonSpirit officials have also not addressed whether this incident is a ransomware attack. But experts say given the growing cybersecurity threat hospitals have faced in recent years, that's most likely the cause of this massive outage.

Ransomware is malware used by hackers to encrypt data or a computer system, blocking access until the hackers' demands are met ― usually a ransom fee.

These kinds of attacks would prevent hospitals from accessing key systems and prevent staff from accessing crucial data, hindering their ability to provide patient care. In the past, that has meant hospitals have delayed cancer treatments, canceled surgeries and even diverted ambulances carrying trauma patients from the facility, said John Riggi, national adviser for cybersecurity and risk at the American Hospital Association.

More:Big Iowa energy users say they want to buy power on open market, bypassing current providers

"If their health care system or hospital has seen a high-impact attack ― whether it’s a small Critical Access Hospital or a large multi-state system ― it could take 3-4 weeks minimum to restore just their mission-critical systems," Riggi previously told the Des Moines Register.

There were at least 168 ransomware attacks against health care organizations in 2020 and 2021, affecting more than 1,700 clinics, hospitals and other health care settings across the country, according to Pew Charitable Trusts.

So far in 2022, at least 15 health care systems managing more than 60 hospitals in the U.S. have been affected by ransomware, according to Emsisoft, a cybersecurity provider. Data was stolen in the majority of instances, Brett Callow, a threat analyst with Emsisoft, told the Associated Press.

Hospitals face large financial blows from these attacks, even as more facilities are refusing to pay the ransom, Riggi said. A 2021 attack on California-based Scripps Health cost the system $112.7 million, mostly in lost revenue.

Michaela Ramm covers health care for the Des Moines Register. She can be reached at mramm@registermedia.com, at (319) 339-7354 or on Twitter at @Michaela_Ramm.

This article originally appeared on Des Moines Register: MercyOne clinics operating after online systems shut down by breach