When Kelley Parsi took her 3-year-old son to a hospital in Des Moines, Iowa, after tonsil surgery, she expected doctors to quickly treat him for pain and dehydration and send him home. Instead, she said, the trip became one of the scariest days of her life.
The computer system that automatically calculated medicine doses wasn’t working, the resident doctor informed her, and he mistakenly “gave him five times what was prescribed,” she said. She later learned a cyberattack had taken down some of the hospital’s digital tools.
She waited for hours, terrified, while her son’s body processed the overdose.
“Because of the cyberattack, my son was overdosed on pain medicine,” Parsi said. He made a full recovery, she said.
Ransomware, in which hackers extort companies and organizations by breaking into and often holding computers and files hostage, has become one of the toughest problems in cybersecurity and a threat to industries around the world. But it can be especially damaging when it hits hospital chains, causing trickle-down damage for patient care across the country.
Ransomware hackers hit MercyOne in early October, part of a larger breach that caused hospitalwide outages at multiple health systems, according to The Des Moines Register. CommonSpirit Health, a nonprofit health system based in Chicago, oversees 140 hospitals in 21 states; it was not clear how many of them hospitals were affected, and it declined to share the number.
CommonSpirit had sold MercyOne, the hospital where Parsi took her son, to a different hospital chain in September. But MercyOne and CommonSpirit still share IT systems, a CommonSpirit spokesperson told NBC News. Ransomware hackers often break into one organization's computer networks, then use that foothold to jump to other victims.
Brett Callow, an analyst at the cybersecurity firm Emsisoft, said 19 large U.S. hospital chains have been hacked with ransomware this year.
Parsi’s hospital, MercyOne, declined to comment about her situation, citing patient confidentiality. A spokesperson said in a statement that it was “committed to providing safe quality care for all patients we serve in their time of need.”
Ransomware attacks have hit a variety of sensitive industries, but few, if any, have the kind of potential for harm as attacks on hospitals.
For Rachel Cupples of Western Washington, the CommonSpirit Health ransomware attack meant delaying important surgery for weeks. After she went to the emergency room in late September for unbearable pain, doctors told her she had an ovarian cyst that needed to be removed quickly. But when she tried to schedule the procedure, Cupples found that her hospital was no longer taking new surgery appointments because of the ransomware attack. Like some other CommonSpirit Health hospitals that were affected, hers announced it was having trouble scheduling new patients.
“I called and found out that all their systems were down and that they couldn’t schedule or do anything,” said Cupples, 44.
“Nobody really knew at that point how, or at least they weren’t sharing, like, how long it was going to be.”
Eventually, CommonSpirit Health brought its scheduling systems back online late last month, and Cupples had successful surgery Thursday.
There has been only a single credible public accusation of ransomware’s leading to a person’s death in a hospital. An Alabama woman is suing her hospital, which was not affiliated with CommonSpirit Health, after her newborn died, and she said it did not disclose that it was providing imperiled care because of a cyberattack. A study last year from the federal Cybersecurity and Infrastructure Security Agency found that hospitals hit with ransomware tended to experience more strain, which often correlates with higher patient mortality rates.
Parsi and Cupples said they blamed the hackers, not the hospitals, for their pain caused by delayed care.
“It wasn’t the doctors. It wasn’t the medical receptionist or any of those folks,” Cupples said. “They really did their best.”
Megan Stifel, the chief strategy officer at the Institute for Security and Technology, a think tank that works to improve U.S. cybersecurity policy, said ransomware against hospitals shows how out of control criminal hackers have gotten.
“If you take a hospital system offline for some period of days, tremendous backlog happens,” Stifel said. “What worse of an illustration do we need to grab people’s attention to say this is a real problem? This impacts human life.”
CLARIFICATION (Nov. 9, 6:08 p.m. ET): CommonSpirit Health does not own MercyOne hospital in Des Moines. Spokespeople for CommonSpirit Health told NBC News after publication that it had sold MercyOne hospital in September, though it still shares digital infrastructure with the hospital.