A ransomware attack on a regional California health system compounded problems that began on December 1, when the system was hacked.
PIH Health serves more than 3 million residents in Los Angeles and Orange counties and throughout the San Gabriel Valley. The problems began with IT and phone system outages and disruptions to patient care when the healthcare provider was forced to delay or cancel some procedures after the hack.
The cybercriminals claim to have stolen 17 million patient records.
PIH Health, in a statement published December 11, said the attack affected three of its hospitals:
- Downey Hospital,
- Good Samaritan Hospital, and
- Whittier Hospital,
as well as its urgent care centers, doctor offices, home health, and hospice agency.
Although PIH’s statement does not mention the cybercriminals’ claims, a local news outlet received a copy of the hackers’ letter from a PIH Health employee. The letter threatens to publish the stolen patient files if the healthcare provider does not “cooperate and make a deal.” The letter does not mention a specific ransom amount or identify the hacker.
PIH has reported the cyberattack to law enforcement, including local police and fire departments, and is working with the FBI.
Downtime Procedures Help Keep the Health System Open
The IT outage is affecting appointments and scheduling, but the provider is doing its best to continue providing patient care.
In its statement, last updated yesterday, December 16, PIH Health said its emergency room and urgent care centers are still open, and all facilities, including hospitals, medical offices, home health, hospice, imaging, and laboratory service, are operating under the organization’s downtime procedures.
“We are doing everything possible to minimize cancellations, but some procedures and surgeries may be canceled due to the technology issues.”
Due to the outage, online appointment scheduling is unavailable. Patients were notified that their physician’s office or hospital would contact them if rescheduling were necessary.
The outpatient laboratories and radiology departments also remain open. In its statement, PIH told patients:
“However, because we do not have access to any electronic orders, you must bring a paper copy of your physician’s order to your appointment. You may have to visit your physician’s office if you do not have a copy of the original order.”
During the downtime, test results may take longer than usual. Drug prescription processes at PIH pharmacies, including refills of existing prescriptions and new orders, are also affected. For existing prescriptions, patients have been advised to bring their most recent medication container from a PIH Health pharmacy with the label to any PIH Health pharmacy, and they will use the details to refill the prescription. The PIH statement noted that its pharmacies are currently only accepting cash payments.
For new prescriptions, PIH instructs patients to bring a paper prescription from their physician, “including their name and phone number, along with your most current prescription insurance card, to the PIH Health or retail pharmacy. However, PIH Health Pharmacies cannot fulfill controlled substances from a paper prescription.”
Extent of the Damage
As of today, PHI Health has not confirmed that protected health information (PHI) was breached but noted that impacted individuals would be notified if information was found to be compromised.
The health system notes, “There is no timeline for full system restoration at this time.”
A Ransomware Attack is Costly
An IT outage, the loss of computers and phone systems, and interrupted patient services add to the enormous costs of a cyber attack.
As PIH Health recovers, it bears the costs of investigations, public relations advice, and legal counsel to manage its public image and potential lawsuits. If the attack compromised as many files as the cybercriminals claim, there will likely be class action lawsuits against PIH Health alleging negligence in protecting patient data and violations of state privacy and consumer protection laws.
If the investigation reveals that PHI was breached, the healthcare system must notify the U.S. Department of Health and Human Services Office for Civil Rights (OCR), the State of California, and all affected patients. The OCR will then investigate.
Prevent a Ransomware Attack With HIPAA Compliance
Robust HIPAA compliance is the best defense against a cyber attack. The HIPAA Security Rule contains all the defensive and mitigation measures to prevent attackers from breaching your systems. Do an annual Risk Analysis and follow your Risk Management Plan to minimize risks. If you need help getting started, call The HIPAA E-Tool®.
