Idaho hospital diverts ambulances, turns to paper charting following cyberattack

For more than 24 hours, a hospital in Idaho has been diverting ambulances due to a cyberattack.

Idaho Falls Community Hospital along with partner clinics and nearby Mountain View Hospital are recovering from a cyberattack that took place earlier this week, according to a statement posted on the Mountain View Hospital website. The attack is said to have taken place Monday morning but was quickly detected and stopped from spreading by the hospitals’ IT teams. However, computer systems have yet to be restored.

Clinicians at Idaho Falls Community Hospital have resorted to paper charting at the 88-bed hospital in the eastern part of the state. Idaho Falls, totaling 67,000 residents, is the state’s largest city outside of the Boise metropolitan area.

Some connected clinics have been closed while ambulances have been diverted, the statement said. The hospital did not reveal the nature of the attack aside from stating that until management feels confident the “virus has been fully removed,” abnormal workflows will remain in effect.

“Team members are working around the clock to get this issue resolved as quickly as possible and doing their absolute best to limit impacts on our patients,” the hospital wrote on its website. “We want to thank everyone for their efforts, especially members of our IT team.”

Hospital spokesperson Brian Ziel told CNN that he was not aware whether any ransom demand had been made by the attackers. Ransomware has been one of the most prevalent forms of cybersecurity attacks affecting hospitals.

The technique, employed by foreign and domestic ransomware gangs, encrypts hospital systems with the promise of returning sensitive information and access if the fee is paid. However, the FBI has cautioned victims of such attacks to not pay the ransom because doing so may encourage future attacks and does not guarantee the return of sensitive patient data.

It has yet to be determined when patients by ambulance will be accepted at Idaho Falls Community, but emergency department walk-ins are being accepted, Ziel said.

Nearby Mountain View Hospital, which is a physician-owned facility, also saw its computer systems being hampered. Both Mountain View and the Community Hospital are managed by Surgery Partners, a Tennessee-based company that operates and invests in hundreds of medical facilities across the United States.

Mountain View’s website stated that patients will be contacted directly if their appointment will be rescheduled. Visitors frequenting hospital cafes were told through the hospital’s website that only cash will be accepted.

Cybersecurity attacks that cause the rerouting of ambulances have been shown to create ripple effects for surrounding facilities. A recent study published in JAMA found that the May 2021 ransomware attack on Scripps Health had a significant impact on surrounding San Diego-based healthcare facilities.

During the attack and post-attack phases, local emergency departments saw a significant increase in patient numbers, wait times, patients leaving without being seen and acute stroke care metrics.

“Although cyberattacks on healthcare delivery organizations continue to increase in frequency and the financial and operational effects of such incidents are documented, the literature is largely bereft of data demonstrating an adverse effect on patient care workflows or care outcomes,” the report said.

Study authors suggested that in addition to preparing internally to prevent and recover from cyberattacks, hospitals should coordinate with surrounding facilities to plan for regional disruptions, “similar to that conducted for natural disasters,” said the study authors.  

Editor's note: This article has been updated to accurately report the ownership and operations of Idaho Falls Community Hospital and Mountain View Hospital.