Ongoing cyberattack on Prospect Medical Holdings forces facilities offline, disrupts services

Prospect Medical Holdings was hit with a cyberattack last week that brought computer systems offline and continues to disrupt care in certain areas.

The Los Angeles-based private equity firm—which runs 16 hospitals and more than 165 other clinical locations across Connecticut, Pennsylvania, Rhode Island and Southern California—disclosed the breach late Thursday and continues to display a message warning of “a systemwide outage” affecting “all Prospect Medical facilities” on its main website and those of its affiliates.

In a Friday statement given to reporters and posted online, the company said it took its systems offline as a preventive measure upon learning of the breach and is conducting an investigation alongside third-party cybersecurity specialists. Reports also cite an ongoing investigation being conducted by the FBI.

“While our investigation continues, we are focused on addressing the pressing needs of our patients as we work diligently to return to normal operations as quickly as possible,” the company said in its statement.

News reports and updates posted online by Prospect’s affiliate systems outline varying degrees of disruption across the facilities.

CharterCARE Health Partners, an affiliate with two hospitals in Rhode Island, said on Facebook that its hospitals had switched to paper records Friday and that “some patient procedures may be affected and those patients will be contacted." In another notice a day later, the organization said that the hospitals’ emergency departments were accepting walk-ins.

Eastern Connecticut Health Network, which has two hospitals and other facilities, currently displays a list of services and locations that are suspended. These include elective surgeries and GI procedures, outpatient medical imaging, outpatient blood draw and outpatient physical therapy.

Waterbury Health, also in Connecticut, said Saturday that “a few of its outpatient services have been affected including outpatient blood draw and diagnostic imaging services, which were not available Friday and Saturday.” A Thursday statement noted that its Waterbury Hospital was following downtime procedures “including the use of paper records, until this is resolved.”

Crozer Health, which has four hospitals plus other outpatient centers in Pennsylvania, reportedly lost computer systems Thursday and continues to display a message online alerting patients to the breach.

Representatives at Crozer and Eastern Connecticut Health Network referred to the incident as a ransomware attack in comments to The Philadelphia Inquirer and a Connecticut-area local news outlet, respectively, though parent company Prospect declined to confirm or deny to the AP whether the organization was being extorted.

California facilities owned by Prospect have also posted the system outage notice on their websites, though reports have not circulated of specific service interruptions among those facilities.

Fierce Healthcare has sent a request to Prospect asking for any timely updates and additional information characterizing the breach.

In a statement, Robert Fuller, special agent in charge of the New Haven Field Office of the FBI, said that the government agency is “working closely with law enforcement partners and the victim entities to address the issues [affecting Prospect.] … At this time there is no further information we can share as this is an ongoing investigation. If and when information can be shared we will do so.”

The healthcare sector saw roughly 295 breaches affecting over 39 million individuals during the first half of 2023, according to the Office for Civil Rights.

Providers have been squarely in the line of fire. Major hospital chain HCA Healthcare disclosed in July an 11 million-patient data breach, which has also led to several lawsuits from affected patients. HCA is continuing to investigate but said during a recent earnings call that it does not expect the breach to have a material impact on its business.

Another major multistate breach came in late 2022 when Catholic giant CommonSpirit Health found more than 100 of its facilities touched by a two-and-a-half-week ransomware attack. Alongside hitches in its IT systems, the attack compromised more than 600,000 patients’ information and was estimated to cost the organization $150 million due to business interruptions, insurance recoveries and other related expenses.

In June, regional health network St. Margaret’s Health became the first to implicate the financial impact of a multiweek ransomware incident from 2021 for its decision to close a rural Illinois hospital.

Cybersecurity breaches cost healthcare organizations an average of $10.1 million each during 2022, a 9.4% increase over 2021 that’s well above the average cost for any other sector of the economy.