A 2021 ransomware attack on a massive Southern California health system sent a sudden flood of critical patients to two large academic emergency departments (EDs), leading to overcrowding that providers struggled to keep pace with, a researcher reported.
The pair of EDs at the University of California San Diego (UCSD) saw their average daily emergency medical services (EMS) arrivals rise by nearly 60% year-to-year during the worst week of the cyberattack on the Scripps Health system of clinics and hospitals, said Christian Dameff, MD, of UCSD, in presentations at the American College of Emergency Physicians annual meeting.
The cyberattack began around May 1 and targeted Scripps Health, a $2.9-billion nonprofit system that provides about a third of patient care in the San Diego region. The 700,000-patient system has about 3,000 physicians and five hospitals.
In their retrospective analyses, Dameff and colleagues noted that in the 3 weeks leading up to the cyberattack, a mean of 69-71 patients were transported to the hospital EDs each day. In the initial days of the attack (May 2-8), the number grew to 116.
Such a large and instant influx of patients was unprecedented, even during the COVID-19 pandemic, noted Gary M. Vilke, MD, of UCSD Health. “Usually it ramps up, like in flu seasons when the census will go up 15%-20%, instead of seeing an extra 100 patients a day overnight.”
“I’ve been with UCSD for 30 years, and it’s not something I’ve seen before,” he told MedPage Today.
Local media reported that during the attack, electronic health records were unavailable; imaging results couldn’t be viewed; critical patients were diverted elsewhere; and patients couldn’t make urgent appointments or reach physicians. UCSD hospitals had to implement emergency procedures to get extra staff on board.
At the time of the attack, Scripps Health said very little publicly about the situation. Network systems were restored by May 26, and Scripps said that it began “notifying individuals whose information may have been involved in a recent cybersecurity incident,” according to a June 1 statement. The attack cost the health system $112.7 million through the end of June, mostly from lost revenue, according to Fierce Healthcare. In September, lawyers for a patient with cancer filed legal action to bring a class action lawsuit against the health system for negligence and breach of contract, according to the San Diego Union Tribune.
“It was a pretty big shock to the system. Patients tended to be sicker, with things like strokes and heart attacks,” Dameff told MedPage Today. During a July House Energy & Commerce hearing on the growing ransomware threat to critical infrastructure, Dameff stressed that “healthcare is not prepared to defend or respond to ransomware threats,” according to SC Media, but also noted that healthcare delivery organizations could put paper processes in place to maintain and manage patient care within hours of an event, which is how a Florida health system handled a June 2021 cyberattack.
Dameff’s group reported that the average daily census grew to 281 over the cyberattack period versus 174-229 patients during the same week over the previous 5 years. In 2020, the average daily census for that week was 179. The differences were statistically significant for each year compared to 2021.
The take-home message from the studies is that “We should be discussing cyberattack impacts on regions, and developing regional preparedness plans,” Dameff stressed, adding that tabletop simulations of cyberattacks should be routine, and hospitals need to talk to each other about plans to handle critical patients.
“There’s a uniqueness to cyberattacks,” he said. “You know when a hurricane is going to hit and you can prepare. With cyberattacks, you don’t. And cyber attackers can be sneaky and hit you again; hospitals can be ransomed more than once.”
Michael Johnson, a cybersecurity specialist at the University of Minnesota Technological Leadership Institute in Minneapolis, told MedPage Today cyberattacks are going to continue to be a major problem.
“I don’t see [cyberattack incidents] dropping any time soon, and even stabilization in the near term is unlikely,” he said. “Hospitals in particular are very enticing targets for cyber activity, both from a data theft perspective and a ransomware perspective.”
“Healthcare data has become some of the most valuable data to monetize by the hackers, even more valuable than the average set of financial data,” added Johnson, who was not involved in the study. “And disruption to systems like emergency healthcare increases the chance the ransom will be paid in the hope that the hospital can resume normal operations as quickly as possible.”
Randy Dotinga is a freelance medical and science journalist based in San Diego.
Vilke, Dameff, and co-authors disclosed no relationships with industry.
Johnson disclosed a relationship with M Health Fairview.