VMFH acknowledges ‘frustrating time’ as computer networks remain down for third day

Debbie Cockrell

October 5, 2022 at 8:52 p.m.·7 min read

Virginia Mason Franciscan Health acknowledged the frustrations of its staff and patients Wednesday as its computer networks remained offline following an IT security incident.

But the health care system’s parent company, CommonSpirit Health, with hospitals and clinics across the nation, including in the Puget Sound region, offered no new information about what caused the outage or when it might be fixed.

VMFH locations continued to work Wednesday and into Thursday without online access to patient records and more. The health system’s MyChart online access for patients also remained offline for a third day.

The computer network outage was first announced by the health system Monday.

VMFH, in a statement sent to The News Tribune on Wednesday evening, said: “Virginia Mason Franciscan Health is committed to ensuring patient safety and continues to prioritize patients with the most urgent medical conditions. Our hospitals remain open and we encourage anyone experiencing an emergency to seek medical attention immediately.”

It added, “We recognize this is a frustrating time for our patients and staff and appreciate everyone’s patience as we work around the clock to resolve this issue as quickly as possible. We can’t thank our heroic staff enough for their hard work and dedication to continue caring for our patients during this difficult time.”

An “IT security incident” involving VMFH parent company CommonSpirit Health has affected sites in multiple states, with CHI properties reporting networks down in North Dakota, Nebraska, Tennessee, Texas and Iowa, according to news coverage in those states.

Two VMFH health care employees told The News Tribune that workers on Tuesday were given the same message as Monday: “All VMFH facilities except for VM are currently using downtime procedures with no ETA on resolution. Please be prepared to utilize manual process for documentation, orders and census management ... IT support is on site.”

A sign taped on the door outside St. Anthony Hospital emergency department in Gig Harbor warned patients that as a result of the offline computer network, “you may experience longer than normal wait times.”

“What (the sign) doesn’t say is that doctors, nurses, everyone, has zero access to any past medical history (notes, labs, heart studies, lung function tests, etc.),” said an employee, who asked to remain anonymous for fear of retribution.

A media representative for the state Department of Health on Wednesday told The News Tribune he was unaware of any complaints filed with the state regarding elective surgery decisions at VMFH sites during the outage.

EARLIER WARNING AND PAST BREACHES

Neither CommonSpirit Health nor VMFH have offered any more details since Monday as to the source of the incident or whether it was a possible cyber attack involving ransomware.

In July, a multi-federal agency advisory warned of “Maui ransomware, which has been used by North Korean state-sponsored cyber actors since at least May 2021 to target Healthcare and Public Health (HPH) Sector organizations.”

It stated: “Since May 2021, the FBI has observed and responded to multiple Maui ransomware incidents at HPH Sector organizations. North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services — including electronic health records services, diagnostics services, imaging services, and intranet services.”

It added: “In some cases, these incidents disrupted the services provided by the targeted HPH Sector organizations for prolonged periods. The initial access vector(s) for these incidents is unknown.”

The advisory “highly” discouraged any payment of ransom “as doing so does not guarantee files and records will be recovered and may pose sanctions risks.”

Tacoma-based CHI Franciscan, which now operates as part of the Chicago-based CommonSpirit Health network, has suffered previous data breaches:

▪ In 2014, a phishing scam targeted its email network, exposing some patient clinical information, along with some patients’ Social Security numbers. In that case, hackers obtained user names and email passwords of about 20 Franciscan Health System staff members by sending them an email message purportedly from Catholic Health Initiatives, Franciscan’s parent company at the time. The scheme targeted CHI health workers nationwide.

▪ In 2016, the health system reported that a stolen laptop contained information on more than 12,000 current and former patients of CHI Franciscan Health Hospice. The laptop was in a backpack that also contained a day planner with the employee’s username and password.

HiPAA Journal, which tracks health systems’ compliance with the Health Insurance Portability and Accountability Act, noted in a roundup of U.S. health care cyberattacks through June that 2021 saw more data breaches reported “than any other year since records first started being published by the U.S. Health and Human Services’ Office of Civil Rights.”

“In 2021, an average of 1.95 healthcare data breaches of 500 or more records were reported each day,” according to the report, which estimated the number of records stolen or improperly exposed or disclosed between 2009 and 2021 equates to “more than 94.63 percent of the 2021 population of the United States.”

It noted records encryption and better security practices have helped guard against such data theft.

“Our healthcare data breach statistics show the main causes of healthcare data breaches are now hacking/IT incidents, with unauthorized access/disclosure incidents also commonplace,” it stated.

FINANCIAL STRAIN ALREADY AFFECTING SYSTEM

CommonSpirit Health formed in 2019 through alignment of Catholic Health Initiatives and Dignity Health. It has become one of the largest nonprofit health systems in the United States, with more than 1,000 care sites in 21 states, serving 20 million patients, according to its website.

Virginia Mason Franciscan Health completed the merger of their Seattle and Tacoma-based health systems in January 2021.

VMFH hospitals in the Puget Sound area include St. Clare in Lakewood; St. Joseph and CHI Franciscan Rehabilitation Hospital, both in Tacoma; St. Elizabeth in Enumclaw; St. Anthony in Gig Harbor; St. Michael in Silverdale; Virginia Mason Hospital and Seattle Medical Center in Seattle; St. Anne in Burien; and St. Francis in Federal Way.

The current cyber security event comes the same week the Washington State Hospital Association warned of vast financial losses being experienced at hospitals statewide.

Losses for the hospitals totaled approximately $1.75 billion in the first six months of 2022, a rate WSHA President and CEO Cassie Sauer and other hospital officials speaking Tuesday emphasized was “unsustainable.”

The news followed similar dismal returns WSHA shared in July.

CommonSpirit Health in September reported an operating loss of $1.04 billion for fiscal year 2022 from its sites nationwide.

David Nosacka, chief financial officer of Virginia Mason Franciscan Health, told The News Tribune in a statement on Wednesday: “On par with other hospitals in the state, Virginia Mason Franciscan Health is experiencing significant financial losses due to various factors, including the rising cost of labor, loss of federal funding for COVID-19 patients and high patient volumes compounded by an increased number of patients waiting for guardianship to be established.”

He added: “As a health system, about 200 patients a day on average have their discharge delayed 24 hours or more due to post-acute care placement challenges and guardianship issues which impact our overall inpatient capacity. The net impact of all these challenges is staggering, and unsustainable for VMFH and other hospitals in the state.”

Nosacka said the system was working to “improve efficiency and effectiveness, as well as reduce our costs, so we can focus our resources in patient care areas.”

Cyber security analyst Robert Siciliano is CEO of ProtectNowLLC.com. He told The News Tribune via email on Thursday the current outage was “likely a ransomware attack.”

He added that, “The cost of a breach in the healthcare industry went up 42 percent since 2020.”

He noted, “For the 12th year in a row, healthcare had the highest average data breach cost of any industry at $10.10 million.”

Reuters
US proposal for frozen Russian asset revenues gaining ground, G7 officials say
A U.S. proposal for using future interest on some $300 billion in frozen Russian assets to aid Ukraine, instead of seizing them outright, is gaining momentum among the Group of Seven nations, two G7 officials said. Collateralizing the interest earned on the frozen Russian assets, which would amount to some $5 billion a year, is emerging as one of the favored options to bridge differences between the U.S. and Europe ahead of a G7 leaders summit in Italy in June. But G7 members are still arguing about certain "holdbacks" that would whittle down those expected windfall profits to just $2.5-$3.0 billion, one of the officials said, pointing to Belgium's 25% tax rate, a "convenience fee" applied by depository Euroclear, and a proposed litigation reserve.
2 minutes ago
Reuters
Spain's Iberdrola, Norway wealth fund expand renewables partnership
Europe's largest utility Iberdrola and Norway's $1.6 trillion sovereign wealth fund are building up on their existing partnership in renewables to jointly invest more than 2 billion euros ($2.15 billion) in Spain and Portugal. The deal is in line with Iberdrola's strategy of selling minority stakes in renewable projects to help fund its large investments in new projects and network assets. The Spanish firm and Norges Bank Investment Management (NBIM), the operator of the Norwegian fund, said on Thursday they reached an agreement for the fund to buy a 49% stake in a 644 megawatt portfolio of Spanish solar projects from Iberdrola for 203 million euros.
3 minutes ago
Evening Standard
Crystal Palace: Marc Guehi set for full training return in boost to Euro 2024 hopes
The centre-back is a favourite of Gareth Southgate and is back on the comeback trail after an injury in February
3 minutes ago
The Independent
Martin Brundle slams ‘lucky dip’ F1 points revamp proposal ahead of key meeting
A team has proposed changing the points-scoring system from a top-10 to a top-12 for next season
4 minutes ago
Yahoo Life UK
Unusual glow in child’s eye turns out to be a sign of cancer
The five-year-old was playing in the sun when his mum noticed an unusual, white glow in his right eye.
5 minutes ago
USA TODAY
It's Take Our Daughters and Sons To Work Day: How to help kids get the most out of it
Thursday is Take Our Daughters and Sons To Work Day 2024. See why kids have been shadowing their parents for over 30 years and how the tradition started.
5 minutes ago
The Independent
Scottish government coalition collapses as SNP end power-sharing with Greens
The decision came after first minister Mr Yousaf called an emergency meeting of the Scottish cabinet to address growing tensions between the Scottish Greens and the SNP
5 minutes ago
The Independent
Conor McGregor vs Michael Chandler co-main event revealed as Jamahal Hill faces Khalil Rountree Jr
McGregor will return after a three-year absence from the cage, fighting in the main event of UFC 303
6 minutes ago
GuruFocus.com
Virginia National Bankshares Corp Reports Mixed Q1 2024 Financial Results
Net Income Declines Year-Over-Year Despite Strong Loan Growth and Stabilized Cost of Funds
7 minutes ago
GuruFocus.com
Eagle Bancorp Montana Inc. Misses Q1 Earnings Estimates, Declares Dividend
Insights into EBMT's Financial Performance and Future Prospects
7 minutes ago
The Independent
Venice day trip tax begins: Officials tell Simon Calder it is ‘not a money-making scheme’
Exclusive: ‘Humanity has one duty to preserve and safeguard Venice’ – Simone Venturini, deputy mayor for tourism for Venice
8 minutes ago
PA Media: Money
Labour pledges to renationalise railways ‘well within first term’ if elected
Shadow transport secretary Louise Haigh said the plan was ‘fully costed’.
8 minutes ago
Charlotte Observer
UNC QB Drake Maye is about to get drafted by an NFL team. But which one? Rumors abound.
Maye, the former UNC QB, is expected to be a Top-5 pick in the NFL Draft. The Patriots, Vikings and Giants are all potential landing spots.
9 minutes ago
Miami Herald
What you need to know about the six constitutional amendments on Florida’s 2024 ballot
The ballot is hard to read. We make it easy to understand.
9 minutes ago
The State
How much house will $325k buy in Shandon versus Rosewood — and are the trade-offs worth it?
It’s one of Columbia’s most idealized neighborhoods — one Shandon home is currently listed for nearly $900,000 — but how far will your money go here?
9 minutes ago
Variety
‘Expats’ Star Ruby Ruiz to Lead James J. Robinson’s Directorial Debut ‘First Light’ (EXCLUSIVE)
Multi-award winning Filipina actress Ruby Ruiz has landed her first major screen role following her appearance in Amazon’s “Expats.” She will lead “First Light,” the feature directorial debut of James. J. Robinson. Principal photography is now underway on the Australian-Fiipino co-production, which comes with funding from Screen Australia. Veteran actress Maricel Soriano (“Mother Nanny”), Rez …
9 minutes ago
Raleigh News and Observer
Zoom bombers interrupt meeting, use racist slurs against Raleigh City Council member
“It really disturbed me,” the council member said. “Deeply, I literally burst into tears right after the meeting.”
9 minutes ago
The State
SC K-12 teachers pay raise locked in for next year. Here’s how educator pay is changing
The minimum starting pay for teachers in South Carolina this year is currently $42,500 a year.
9 minutes ago
Cover Media
Ashley Tisdale battling 'stomach flus' and 'colds' during pregnancy
Ashley Tisdale is pregnant with her second child. The High School Musical star told her Instagram followers that her second pregnancy hasn't been easy so far. The 38-year-old actress shares daughter Jupiter with her musician husband Christopher French. The couple announced on 26 March that they are expecting their second child. Ashley's video comes just hours after she celebrated her husband's 42nd birthday with an Instagram post. The couple began dating publicly in 2012, became engaged in 2013, and married in 2014. They welcomed Jupiter in 2021.
9 minutes ago
Raleigh News and Observer
‘Something magic.’ New Hope Valley Railway marks 40 years of train rides in Wake County
The “Triangle’s Train” is one of a handful of places in North Carolina where people can ride the rails and travel back in time. Here are others.
9 minutes ago

EARLIER WARNING AND PAST BREACHES

FINANCIAL STRAIN ALREADY AFFECTING SYSTEM

Latest Stories