Ardent Health Services hit with ransomware attack, forcing hospitals in multiple states to divert ambulances

Hospitals in multiple states have been forced to divert ambulances and reschedule some elective patient procedures after U.S. hospital owner Ardent Health Services was hit with a ransomware attack.

On Thanksgiving, Nashville-based Ardent Health Services became aware of an information technology cybersecurity incident, which has since been determined to be a ransomware attack, the company wrote in a statement posted to its website.

"The Ardent technology team immediately began working to understand the event, safeguard data and regain functionality. As a result, Ardent proactively took its network offline, suspending all user access to its information technology applications, including corporate servers, Epic software, internet and clinical programs," the company wrote.

Ardent Health Services owns and operates 30 hospitals and more than 200 sites of care with more than 1,300 aligned providers in six states, primarily in Texas, Oklahoma and New Mexico. The company also owns or partially owns one hospital in Kansas, one in Idaho and two in New Jersey. 

The fallout from the Ardent hack demonstrates how cyberattacks that target large hospital operators can have far-reaching impacts on hospitals across the country.

The company confirmed that some of its facilities are rescheduling some non-emergent, elective procedures and diverting some emergency room patients to other area hospitals until systems are back online.

"In the interim, while this incident results in temporary disruption to certain aspects of Ardent’s clinical and financial operations, patient care continues to be delivered safely and effectively in its hospitals, emergency rooms, and clinics," Ardent said on Monday.

Among the hospitals currently unable to accept ambulances are a 263-bed hospital in downtown Albuquerque, New Mexico; a 365-bed hospital in Montclair, New Jersey; and a network of several hospitals in East Texas that serve thousands of patients a year, CNN reported Monday.

A nurse working at one of the affected New Jersey hospitals told CNN that staff rushed “to print out as much patient information as we could” as it became clear that the hospital was shutting down networks because of the hacking incident.

“We are doing everything on paper,” said the nurse, who spoke on condition of anonymity because they were not authorized to speak to reporters, CNN reported.

Ardent said it reported the event to law enforcement and retained third-party forensic and threat intelligence advisors. The hospital operator also is working with specialist cybersecurity partners to restore its information technology operations and capabilities as quickly as possible.

Ardent said at this time it "cannot confirm the extent of any patient health or financial data that has been compromised."

"The investigation and restoration of access to electronic medical records and other clinical systems is ongoing. Ardent is still determining the full impact of this event and it is too soon to know how long this will take or what data may be involved in this incident," the company said.

CNN also reported that officials with the federal U.S. Cybersecurity and Infrastructure Security Agency (CISA) reached out to Ardent Health Services on November 22, the day before Thanksgiving, to warn the company of malicious cyber activity affecting its computer systems, a person familiar with the matter told CNN reporters.

Ardent Health spokesperson Will Roberts confirmed CISA officials contacted the company “to make us aware of information about suspicious activity in our system.”

Cybercriminals continue to ramp up their attacks against healthcare organizations.

"The bad guys are probing and doing reconnaissance constantly to see what can or can’t get through the network. And they are quickly changing their tactics to increase their success rate. That’s why organizations run out of human runway quickly and why their infrastructure is quickly overloaded," Jess Parnell, chief information security officer at cybersecurity company Centripetal, told Fierce Healthcare.

"Even with all the spending on cybersecurity that we see, the only thing that organizations know for sure is that their exposure to cyber risk is only going up and up and up. Companies must implement ongoing patch management and deploy proactive cybersecurity solutions to protect their valuable assets. Attackers can exploit vulnerabilities faster than IT can patch them, so active defenses can buy you time," Parnell said.

Back in February, a cyberattack forced a network of Florida healthcare organizations to send some emergency patients to other facilities and to cancel some non-emergency surgeries. Patient care also was disrupted at a hospital in Idaho back in May as a result of a cyberattack.

Prospect Medical Holdings was hit with a cyberattack in early August that brought computer systems offline and lasted nearly six weeks, crippling services at hospitals in Connecticut, Pennsylvania, Rhode Island and Southern California. The Office of the Maine Attorney General reported that, in total, 190,492 people were affected by the hack.