Tallahassee hospital continues to operate offline, working with FBI to address 'IT security event'

Updated Wednesday, Feb. 8, 12:10 p.m. ET

Tallahassee Memorial HealthCare remains offline almost a week after an "IT security issue" occurred late Thursday that's been reported to be a ransomware attack.

In an update posted to its website Wednesday, the health system said it is collaborating closely behind the scenes with HCA Florida Capital Hospital and Leon County EMS to "coordinate the flow of patients being routed to HCA."

"We are extremely appreciative of their partnership to ensure our community continues to receive medical care," the health system said.

Health system officials acknowledged that the community is eager for more information about the security event.

"Our teams are working around the clock in collaboration with outside experts and state and federal agencies to investigate the cause of the event and safely restore all computer systems as quickly as possible. We will provide updates as this investigation progresses, bearing in mind that security, privacy and law enforcement considerations impact the amount of detail we can provide," the health system said.

Updated Monday, Feb. 6, 2:10 p.m. ET

Tallahassee Memorial HealthCare remains offline after an "IT security issue" occurred late Thursday.

According to an update posted to its website Monday afternoon, the hospital is now performing "limited surgeries and procedures." "Patients will be notified by TMH if they are scheduled for surgery and by their doctor’s office if they need to be rescheduled," the hospital said.

The hospital is still diverting some emergency room patients to other hospitals.

The facility continues to operate on "downtime procedures," according to the update.

"Patients and families may notice the switch to paper documentation during registration, admission, or during their care, as our providers will be using paper forms, prescription pads, handwritten notes, or other similar paper methods where they may usually use an electronic process. We apologize for any delays this may create. We practice for situations like this, and we are prepared to provide safe, high-quality care to our patients during computer system downtimes," the hospital said in its statement.

The hospital said it notified law enforcement about the IT security event, though it hasn’t provided details.

The FBI confirmed to Fierce Healthcare that it is working with Tallahassee Memorial HealthCare to "assess the situation."

When contacted by Fierce Healthcare, a FBI spokesperson said via email, "FBI Jacksonville was notified of an IT security event at Tallahassee Memorial HealthCare. While our policy prohibits us from confirming or denying the existence or status of a federal investigation, we are working with TMH security teams to assess the situation."

Tallahassee Memorial HealthCare leadership told medical staff that “great progress” has been made in the investigation into a computer security issue that severely disrupted operations over the past few days, the Tallahassee Democrat reported Monday.

Posted Saturday, Feb. 4, at 5 p.m. ET

Tallahassee Memorial HealthCare is diverting some emergency patients to other hospitals and canceling non-emergency surgical and outpatient procedures after an "IT security issue" occurred late Thursday.

The healthcare provider, which operates a 772-bed hospital and multiple specialty care centers serving 21 counties in North Florida and South Georgia, also took its IT systems offline, according to a statement posted on its website Friday morning.

"We continue to divert some EMS patients. We are only accepting Level 1 traumas from Leon County and the immediate surrounding counties and patients experiencing stroke and myocardial infarction (heart attack)," the hospital system said in an update posted Saturday.

Local media are reporting that the IT security breach is a suspected ransomware attack, citing sources with knowledge of the situation.

Staff have been unable to access digital patient records and lab results because of the shutdown, CNN reported, citing a hospital source.

Mark O’Bryant, Tallahassee Memorial’s CEO, notified staff in person Friday morning that the system had suffered a “cyberattack,” according to the source, CNN reported.

Tallahassee Memorial HealthCare said the security incident is "an active, ongoing investigation."

"We contacted law enforcement when this incident occurred, and we continue to work with the appropriate law enforcement agencies. We are also working with third party experts to assist in the investigation," officials said.

Tallahassee Memorial HealthCare spokesperson Tori Lynn Schneider told CNN “some” emergency patients were being diverted to facilities outside of the organization’s network, but declined to say how many patients. All non-emergency and elective procedures scheduled for Monday were canceled because of the hacking incident, Schneider said.

Atlantic General Hospital in Maryland was also reportedly hit by a ransomware attack over the weekend, according to local news outlet WMDT47.

Emsisoft Threat Analyst Brett Callow told BleepingComputer that the cybersecurity incident at Tallahassee Memorial HealthCare marks the second suspected ransomware attack at a U.S. hospital in 2023. There were 25 attacks against health systems operating 290 hospitals in 2022, Callow said.

In December, Lake Charles Memorial Health System disclosed that hackers breached its network and accessed patients personal data in an attempted ransomware attack back in October. CNN reported that the hackers access the data of nearly 270,000 patients. The health system thwarted the hackers’ attempt to encrypt its computers and prevented any disruption to patient care, CNN reported.

U.S. hospitals are facing an unrelenting barrage of ransomware attacks and these attacks accelerated during the COVID-19 pandemic. The federal government has warned about ransomware operations that actively target hospitals and healthcare organizations.

The Department of Health and Human Services (HHS) recently warned that pro-Russian hacktivist group Killnet is actively targeting the U.S. healthcare industry with distributed denial of service (DDoS) attacks. In an analyst note, Health Sector Cybersecurity Coordination Center said the group's DDoS attacks can cause "thousands of connection requests and packets to be sent to the target server or website per minute, slowing down or even stopping vulnerable systems."

"While KillNet’s DDoS attacks usually do not cause major damage, they can cause service outages lasting several hours or even days," the department said.

Last year, the group hacked a U.S.-based healthcare organization that supports U.S. military members and stole a large set of user data from the company, HC3 said in the note. On January 28, 2023 an alleged Killnet attack lists for hospitals and medical organizations in several countries was found by users and publically shared, HHS said.

Last month, the Justice Department announced it was able to shut down the computer infrastructure used by a ransomware gang to target healthcare organizations. The FBI, in coordination with international law enforcement groups and Europol, secretly infiltrated the Hive ransomware gang's infrastructure in July 2022. Hive has targeted more than 1,500 victims in over 80 countries around the world, including hospitals, school districts, financial firms, and critical infrastructure, according to the agency.

The FBI infiltrated Hive’s computer networks, captured its decryption keys, and offered them to victims worldwide, preventing victims from having to pay $130 million in ransom demanded. The FBI has provided over 300 decryption keys to Hive victims who were under attack, the agency said in a press release.

Law enforcement agencies also seized control of the servers and websites that Hive uses to communicate with its members, disrupting Hive's ability to attack and extort victims.

Since June 2021, the Hive ransomware group has targeted more than 1,500 victims around the world and received over $100 million in ransom payments.