A lawyer for the parent company of three Connecticut hospitals that were victims of a cyberattack told the state attorney general’s office they are still unsure if patients’ personal information has been compromised.
The letter also confirmed that not all of the hospitals’ systems are back online more than a month after the attack.
“Prospect Medical’s information technology teams are continuing to work around-the-clock to securely restore access to its system as quickly and safely as possible, and in a manner that prioritizes its ability to provide patient care,” attorney Sara M. Goldstein wrote in an Aug. 21 letter to Attorney General William Tong’s office.
Goldstein is an attorney for BakerHostetler of Philadelphia, which is representing Prospect Medical. The system operates 16 hospitals in California, Connecticut, Pennsylvania and Rhode Island.
In Connecticut, Prospect’s Eastern Connecticut Health Network consists of Manchester Memorial Hospital and Rockville General Hospital and Waterbury HEALTH.
ECHN declined to answer specific questions about the cyberattack on Friday, such as whether the hospitals have yet determined if patient records were compromised. Instead, ECHN’s Director of Community Relations Kimberly A. Forbes issued a statement echoing Goldstein’s letter to the attorney general’s office, writing that “because our investigation is ongoing, we do not have additional information to share at this time.”
“ECHN continues to work around-the-clock to recover critical systems and restore their integrity. We are making progress and some operational systems are coming online. We do not yet have a definitive timeline for how long it will be before all of our systems are restored,” Forbes said.
The hospitals were victims of a ransomware attack that was first discovered on Aug. 1, according to a previous letter to Tong’s office.
They initially notified the attorney general’s office of the possible breach – as required by state law – on Aug. 4. At that time Goldstein wrote “there had been unusual activity in its IT environment.”
The breach forced the hospitals to divert emergency care patients to other hospitals for more than 24 hours, cut off access to online medical records and forced them to cancel elective surgeries.
In the most recent letter, Goldstein acknowledged that the hospital chain still doesn’t have a timeline for when all of its systems will be restored.
Services currently not being offered include outpatient imaging services at the Women’s Center, Manchester Memorial and Rockville General hospitals, and Evergreen Imaging locations, as well as outpatient blood draw at three locations, ECHN said Friday.
State Department of Public Health Spokesman Christopher Boyle said the agency’s Facility Licensing and Investigation team, and its Office of Public Health Preparedness and Response, continue to receive facility status updates from Prospect Medical in regard to the recent data security incident.
“DPH conducted several unannounced on-site visits to each of the hospitals during the incident. In addition, DPH monitored patient census data daily and met with the hospital system’s incident management team to keep apprised of the response,” Boyle said. “DPH also continues to share information regarding this incident with its federal partners, the Centers for Medicare and Medicaid Services and the Administration for Strategic Preparedness and Response.”
In a statement, the Connecticut Hospital Association said the state’s hospitals are committed to safeguarding patient information but “even the most sophisticated data systems can be vulnerable to intrusion when attacked by motivated bad actors.
“Globally, health care has become a target for attacks and defending against them is an integral part of all health care operations,” CHA’s statement said. “Here in Connecticut we’ve also seen recent breaches impact banks, insurance companies, schools, and utilities. We are encouraged by the state’s creation of a collaborative Cybersecurity Task Force this year which can build upon the work that hospital teams have led to ensure high quality care is matched with the highest quality security.”
While ECHN initially referred to the data breach as an “IT issue,” the letter from Goldstein makes clear it was a targeted attack. She wrote that the cybersecurity firm ECHN hired to investigate the incident determined “Prospect Medical data was taken by unauthorized actors.”
While the letter doesn’t divulge details about what happened, the Rhysida ransomware gang has claimed responsibility for the cyberattack, according to an Aug. 27 article by BleepingComputer, an online information security and technology news publication.
The U.S. Department of Health and Human Services in August issued a security bulletin warning that Rhysida was behind several recent attacks on health care organizations. BleepingComputer reported that Rhysida claims to have stolen up to a half million personal records of patients and employees of the three Connecticut hospitals but neither ECHN nor Prospect Medical have confirmed any patients’ personal information has been exposed.
Goldstein wrote that Prospect Medical is “working diligently to analyze the files that were taken.
“If the investigation determines that any protected health or personal information is involved, Prospect Medical will provide the appropriate notifications.”