Endpoint Security , Fraud Management & Cybercrime , Incident & Breach Response

Memorial Health System in Ohio Latest to Be Hit With Attack

Hospitals Diverting ER Patients to Other Area Facilities
Memorial Health System in Ohio Latest to Be Hit With Attack
Marietta Memorial Hospital is among three Memorial Health System facilities affected by a cyber incident.

Memorial Health System in Ohio is the latest healthcare entity to be hit with an apparent ransomware incident that is disrupting patient care services.

See Also: Rising IoT Botnets and Shifting Ransomware Escalate Enterprise Risk

Memorial Health System - based in Marietta, Ohio - says that early on Sunday morning it detected a security incident that prompted the organization to divert emergency care patients from three of its hospitals to other area facilities.

User Access Suspended

In a statement, Memorial Health System says that in response to the incident, it suspended user access to IT applications related to its operations.

"We have implemented extensive information technology security protocols and are working diligently with security partners to restore information operations as quickly as possible. Federal law enforcement has also been notified," the statement says. In the meantime, the incident "may result in temporary disruptions to certain aspects of our clinical and financial operations."

Scott Cantley, Memorial Health System president and CEO, says in the statement: "Maintaining the safety and security of our patients and their care is our top priority and we are doing everything possible to minimize disruption. Staff at our hospitals - Marietta Memorial, Selby and Sistersville General Hospital - are working with paper charts while systems are restored, and data recovered.”

All urgent surgical cases for Monday were canceled and patients were notified, the statement notes. In addition, all radiology exams have been cancelled. As of Monday, however, all primary care appointments were being conducted as scheduled, Memorial Health says.

“At this time no known patient or employee personal or financial information has been compromised,” Cantley said in the statement. “We are continuing to work with IT security experts to methodically investigate to precisely understand what happened and are taking the appropriate actions to resolve any and all issues.”

As of Monday evening, the organization was still addressing the situation, a Memorial Health spokeswoman told Information Security Media Group.

"There is no significant change today. We continue to work with national cybersecurity experts on prevention and remediation and are optimistic that we can begin resolution by the end of this week," she said.

Disturbing Trend

News site Bleeping Computer reports that it has seen "evidence" that the Memorial Health System incident involved the Hive ransomware gang.

"Like most ransomware gangs, Hive has a leak site called HiveLeaks and hosted on the dark web, where they published links to data stolen from almost two dozen victims that did not pay the ransom,” Bleeping Computer reports.

"Hive uses an idiotic and amateurish cryptographic scheme in which a hundred RSA keys of varying bit size are used to encrypt files," says Brett Callow, a threat analyst at security firm Emsisoft.

"Because of this, the decryptor takes upwards of 30 minutes to initialize on each and every system on which it needs to be run. In other words, if an organization has one hundred encrypted systems, upwards of fifty hours will be spent on initializations before any decryption begins. And this is in addition to the usual bugs and annoyances that are pretty much standard in threat actors’ tools," he says.

"Combined, these factors make for a very slow recovery process in cases where the demand needs to be paid."

Memorial Health System did not disclose whether its incident involves ransomware.

But Callow notes this latest incident involving Memorial Health System is apparently among a long string of very troubling ransomware attacks on healthcare sector entities in recent weeks and months.

"So far, we’ve been lucky and attacks on hospitals haven’t actually resulted in a loss of life - but that luck will not last forever," he says.

"The attacks will kill somebody sooner or later. That’s pretty much a given. It’s absolutely critical that we find a way to better protect healthcare providers - or stop the attacks against them - before that happens. Unfortunately, that’s easier said than done, and I don’t see any way to tackle the problem quickly. Governments should have started taking the problem seriously, and taking strong and decisive action, long before the attack on Colonial Pipeline."

Sioux Falls, South Dakota-based Sanford Health and Indianapolis, Indiana-based Eskenazi Health were also targets last week of cyberattacks - both apparently involving ransomware - also causing patient care postponements and cancellations (see: 2 Healthcare Systems Recovering from Cyberattacks).

Those incidents came on the heels of recent ransomware attacks on Scripps Health and UF Health Central Florida.

The recent ransomware attack that disrupted Scripps Health's IT systems and patient care for nearly a month has so far cost the San Diego-based organization nearly $113 million, including $91.6 million in lost revenue, according to a financial report the nonprofit entity filed last week with a municipal securities regulator.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing fraudtoday.io, you agree to our use of cookies.