IT system that holds medical records of 20million Americans hit in cyberattack

The medical records of up to 20 million Americans may have been leaked in what could turn out to be the largest medical cyberattack in US history.

CommonSpirit Health — the country’s fourth-largest health system — was the target of a major IT ransomware attack this week.

It’s not clear how many of the 140 hospitals in 21 states have been affected, but the hack has already resulted in cancer appointments being canceled and ambulances being diverted.

Among those affected are Virginia Mason Medical Center in Washington – the second best in the state – and MercyOne Medical Center in Iowa.

IT experts warned today that it could be the ‘biggest’ cyberattack ever against a medical system in the US.

A CommonSpirit spokesperson admitted this week that electronic health records — which contain patient data — and other systems had been taken offline.

They added: ‘Due to this problem [the IT attack]We have moved a number of appointments with patients.

“Patients are contacted directly by their healthcare provider and/or healthcare facility if their appointment is affected.”

Affected patients include Kathy Kellog, of Washington, who had to undergo her surgery to remove a cancerous tumor from her tongue with a delay of at least five days.

Her husband Mark told KING-TV, “Everything we do today is all on a computer, and without it you’re back in the stone age and writing on a tablet.”

The hospital they visited – Virginia Mason Medical Center – is one of many that have had systems taken offline due to the cyberattack.

Brett Callow, a threat analyst at cybersecurity provider Emsisoft, said that if all of the health system’s hospitals were affected, the attack could be the “most significant in healthcare to date.”

The IT expert has helped curb at least 15 ransomware attacks on health systems in the US this year.

In four-fifths of these, data was stolen from hospitals.

He warned that these often “pose a risk to patients’ lives” because of disruption to ambulance services and operations.

The delays caused, he said, affect “long-term patient outcomes” — or the likelihood of recovery from the procedure.

Health system sources have confirmed that the attack came from ransomware, NBC News reports.

This is a malicious type of software that blocks access to patient systems and says it will not reopen until payment is received.

It is not clear who is behind the attack and how it could have taken place.

It started on Monday, but was still not resolved this Friday.

The largest ever in US history was in September 2020, when a ransomware attack arrested services in all 250 facilities – and 28 hospitals – owned by Universal Health Services.

But the attack on CommonSpirit — which has more than 700 facilities — could be the largest yet, depending on how many centers were hit.

In 2020, the FBI and other federal agencies warned that they had credible information that cybercriminals could unleash a wave of data-encrypting extortion attempts against U.S. hospitals and health care providers.

That’s because ransomware criminals are increasingly stealing data from their targets before encrypting and using networks for extortion.

They often seed the malware weeks before being activated, waiting for moments when they think they can get the highest payouts.

Healthcare has been classified by the US government as one of the 16 critical infrastructure sectors Healthcare providers are seen as ripe targets for hackers.

If access to patient data is obtained, healthcare providers are required by law to notify the Department of Health and Human Services.