IE 11 is not supported. For an optimal experience visit our site on another browser.

Ransomware attack delays patient care at hospitals across the U.S.

CHI Memorial Hospital in Tennessee, some St. Luke’s hospitals in Texas and Virginia Mason Franciscan Health in Seattle all have announced they were affected.
Baylor St. Luke's Medical Center in Houston in 2018.
Baylor St. Luke's Medical Center in Houston in 2018.Jon Shapley / Houston Chronicle via AP file

One of the largest hospital chains in the U.S. was hit with a suspected ransomware cyberattack this week, leading to delayed surgeries, hold ups in patient care and rescheduled doctor appointments across the country.

CommonSpirit Health, ranked as the fourth-largest health system in the country by Becker’s Hospital Review, said Tuesday that it had experienced “an IT security issue” that forced it to take certain systems offline.

While CommonSpirit declined to share specifics, a person familiar with its remediation efforts confirmed to NBC News that it had sustained a ransomware attack.

CommonSpirit, which has more than 140 hospitals in the U.S., also declined to share information on how many of its facilities were experiencing delays. Multiple hospitals, however, including CHI Memorial Hospital in Tennessee, some St. Luke’s hospitals in Texas, and Virginia Mason Franciscan Health in Seattle all have announced they were affected.

One Texas woman, who spoke to NBC News on the condition of anonymity to protect her family’s medical privacy, said that she and her husband had arrived at a CommonSpirit-affiliated hospital on Wednesday for long-scheduled major surgery, only for his doctor to recommend delaying it until the hospital’s technical issues were resolved.

The surgeon “told me it could potentially delay post-op care, and he didn’t want to risk it,” she said. 

Ransomware attacks on health care chains are relatively common, and have been a frequent part of the U.S. medical system for more than two years. Even if an attack doesn’t shut a hospital down, it can knock some or all digital systems offline, cutting doctors’ and nurses’ access to digital information like patient records and recommendations for care.

Brett Callow, an analyst at Emsisoft, a cybersecurity company that specializes in ransomware, said that he was aware of at least 15 health care companies representing 61 hospitals that have been hit by ransomware attacks so far this year.

To date, there is only one documented instance in which an American has publicly claimed that ransomware directly led to a patient’s death. An Alabama woman sued her hospital in 2020 after her baby was born with a severe brain injury and died after her hospital was hit by  a ransomware attack and allegedly didn’t inform her.

However, a major report by the federal Cybersecurity and Infrastructure Security Agency and a survey of health care information technology professionals found that a ransomware attack on a hospital increases the stress on its capabilities in general, and leads to higher mortality rates there.