Ransomware Reportedly Behind Nationwide UHS Hospital Outage | Digital Guardian

The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls

Digital Guardian's Blog

Ransomware Reportedly Behind Nationwide UHS Hospital Outage

by Chris Brook on Monday September 28, 2020

Contact Us
Free Demo

The full scope of the incident isn't yet known but as a result, facilities across the U.S. have been left without access to computer systems.

Hospitals nationwide are dealing with the fallout from an outage connected to a potential ransomware attack against one of the largest healthcare services providers in the country this week.

It seems Universal Health Services (UHS) - a Fortune 500 company that specializes in telemedicine and helps facilitate appointments, lab results, and medical forms for hospitals - was hit by ransomware, reportedly the Ryuk strain, over the weekend, forcing hospitals that use UHS' IT system offline.

While not every hospital appears to be impacted, several do.

Much of the discussion around the incident involves an unconfirmed post to Reddit Sunday night. In that post a user claiming to work at a UHS hospital reported the facility had no access to phones, computer systems, internet, or the data center. Because of the issue, the hospital reportedly had to send ambulances to smaller hospitals and had patients die while waiting for lab results to be delivered by courier.

A handful of other Reddit users chimed in, some saying their hospitals wouldn't let employees turn on computers, others saying they were forced to write everything down on paper.

Amid the COVID-19 pandemic, the incident could further exacerbate an already dire situation at some hospitals.

UHS was mum on the issue for about 24 hours; as of Monday afternoon, its Twitter and press release section of its website still didn't mention the incident; the company also did not return Data Insider’s request for comment Monday.

The company did issue a statement, just after noon on Monday however, confirming that its IT network is "currently offline, due to an IT security issue," adding that "no patient or employee data appears to have been accessed, copied or otherwise compromised."

“We implement extensive IT security protocols and are working diligently with our IT security partners to restore IT operations as quickly as possible. In the meantime, our facilities are using their established back-up processes including offline documentation methods. Patient care continues to be delivered safely and effectively,” the company’s statement also reads.

The statement is light on details making it even more unclear what transpired. UHS has 400 hospitals and healthcare facilities in the U.S. and the U.K but it’s not certain how many of them may be impacted.

Reddit users claiming to work for UHS hospitals in California, Florida, Georgia, Pennsylvania, North Carolina and Texas have all reported experiencing issues, many which sound like ransomware hit their computer systems, over the last 24 hours.

A handful of hospitals in Las Vegas appear to be victims as well. According to a local ABC affiliate there, five hospitals belonging to the Valley Health System, a subsidiary of Universal Health Services, Inc., were all knocked offline on Sunday too.

Some reports, including one via Bleeping Computer, claim victims' screens displayed a ransom note reading "Shadow of the Universe," a phrase that sometimes appears as part of Ryuk infections.

The same report notes that one victim claims files were renamed to include the .ryk extension - another Ryuk calling card. The ransomware hasn't commanded many headlines of late - those have mostly been dominated by REvil aka Sodinokibi - but if it is indeed Ryuk, this could be its big comeback.

Tags: Ransomware

Recommended Resources

  • The seven trends that have made DLP hot again
  • How to determine the right approach for your organization
  • Making the business case to executives
  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.