Rural Illinois hospital says 2021 ransomware attack partially to blame for closure

A rural Illinois hospital closure slated for the end of the week has been attributed in part to a multiweek ransomware incident the organization suffered in early 2021, marking what experts say is the first time hospital leadership has explicitly linked a shutdown to a cyberattack.

St. Margaret’s Health—a regional health network formed in 2021 when two hospitals, St. Margaret’s Hospital in Spring Valley and Illinois Valley Community Hospital in Peru, consolidated their operations—is scheduled to close all hospital, clinic and related facilities at both locations Friday at midnight.

In a video posted last month to Facebook, Suzanne Stahl, chair of St. Margaret’s Health’s parent organization SMP Health, warned employees and the community that the closure was on its way.

“Due to a number factors such as the COVID-19 pandemic, the cyberattack on the computer system of St. Margaret’s Health and a shortage of staff, it has become impossible to sustain our ministry,” she said in the video. “This saddens us greatly.”

Stahl noted that financial challenges have become commonplace across the nation’s rural hospitals, forcing some to close. There have been at least 10 rural hospital closures so far in 2023, up from seven during 2022, according to the University of North Carolina’s NC Rural Health Research Program.

SMP Health and OSF Healthcare have signed a nonbinding letter of intent for the latter to acquire the Peru campus and its related ambulatory facilities and clinics, Stahl said. OSF plans to reopen services at those locations at a later date.

SMP Health had been hit with a ransomware attack in early 2021, an incident that officials told NBC News prevented the hospital from submitting claims to commercial and public insurers.

“You’re dead in the water,” Linda Burt, vice president of quality and community service at St. Margaret’s Health, told NBC. “We were down a minimum of 14 weeks. And then you’re trying to recover. Nothing went out. No claims. Nothing got entered. So it took months and months and months."

Ransomware attacks against healthcare organizations have doubled from 2016 to 2021, researchers have found, and the average 2021 breach was estimated to cost about $9.2 million.

The attacks target healthcare organizations small and large, as was made evident late last year when a breach at CommonSpirit Health locked down IT systems at numerous hospitals for weeks and cost the large nonprofit an estimated $160 million.

St. Margaret’s Health’s shutdown marks a grim milestone for such attacks, though leaders at cybersecurity firms warn that similar repercussions are likely to follow among other vulnerable providers.

“It is gutting to see the closure of St. Margaret’s Health System in Spring Valley, IL. It won’t be the last,” Joshua Corman, vice president of cyber safety strategy at Claroty, said in an emailed commentary. “These ‘target rich, but cyber poor’ medium, small and rural hospitals may be one bad day—one ransomware incident away—from a path to closure.”

Corman also noted that the facilities most exposed to potential closures are often far from an alternative care site, placing their communities at greater risk when seeking care for “time-sensitive conditions where minutes or hours can mean the difference.”

Erich Kron, security awareness advocate at cybersecurity training platform KnowBe4, framed St. Margaret’s Health’s closure as a warning to other financially strained hospitals not to skimp on protection.

“This is an important thing to understand as in many organizations when finances become lean, it's very tempting to reduce budget for things like cybersecurity,” Kron said in an email statement. “Many organizations have suffered the effects of ignoring cybersecurity in favor of the bottom line, only to find out it was a poor decision.”

Hospitals that find themselves in this position can instead be “very intentional about where they spend their cyber budget” and target low-cost protections against high-frequency breach tactics such as email phishing attacks.

“While technical controls are certainly required, ensuring that employees are educated and trained on how to spot and report potential social engineering attacks quickly can be one of the most cost-effective ways to reduce the risk of a breach, however many organizations put little effort into this critical defense,” Kron, whose company offers such training, said.