The 5 most significant cyberattacks in healthcare for 2020

The volume and intensity of cyberattacks on hospitals and health systems increased during the second half of 2020, and experts believe there is more to come.

"Healthcare is and has been the No. 1 target for cybercrime and the number of attacks on healthcare organizations have been increasing exponentially over the past few years, primarily because of the value of data they can obtain from a successful attack, and the fact that cybercriminals know that if they lock up systems and data, that has a significant impact on operations," Kathy Hughes, CISO of Northwell Health in New Hyde Park, N.Y., told Becker's in October after a slew of ransomware attacks.

On Nov. 16, the federal government issued a cybersecurity warning to healthcare providers about "credible, ongoing and persistent" threats.

"Cyber teams should be in a constant state of monitoring and proactively looking for issues within their network and systems and be quick to respond. System updates and patching are always critical and all cybersecurity programs should include a very detailed and robust security awareness program as nearly all cyberattacks are initially carried out through a single user's action," said Dave Summittt, CISO of Moffitt Cancer Center in Tampa, Fla.

Here are five of the most significant cyberattacks in 2020 based on the breadth of system disruption and volume of organizations affected.

1. UVM Health Network shut down its IT system after identifying an Oct. 28 cyberattack. The health system hasn't released details about the attack, which infected 5,000 network computers. The system outage lasted for more than 40 days and the health system reassigned or furloughed around 300 workers who were unable to do their jobs as a result of the computer outage. UVM Health brought in the National Guard's cybersecurity unit to help restore the computers. During the outage, the health system postponed some services. On Dec. 8, UVM Medical Center President and COO Stephen Leffler, MD, said the health system is losing $1.5 million per day in revenue and extra expenses; the health system expects the entire incident will cost more than $63 million by the time it resolves next year.

2. Ryuk ransomware hit six hospitals in the U.S. over a 24-hour period beginning Oct. 26. The federal government reported the hit in an advisory on Oct. 28, noting a list of 400 targeted hospitals had circulated among Russian hackers. A few hospitals self-reported IT outages due to ransomware during that time, including Klamath Falls, Ore.-based Sky Lakes Medical Center and Upstate New York-based St. Lawrence Health System. Sky Lakes Medical Center eventually purchased 2,000 new computers as a result of the attack. In response to the attack, unaffected health systems across the U.S. took preventative measures including pre-emptive email shutdowns and tightening security networks to protect against future attacks.

3. King of Prussia, Pa.-based Universal Health Services experienced a massive IT network outage beginning Sept. 27. The health system disconnected its IT system after identifying a malware attack; the outage lasted for eight days. UHS has hundreds of healthcare facilities across the U.S. that reverted to downtime protocols and paper records during the outage.

4. Nebraska Medicine in Omaha reported a computer network outage on Sept. 20 because of a security incident. The health system reverted to paper records during the outage, which lasted several days. The attack also affected the EHRs and computer systems for North Platt, Neb.-based Great Plains Health and Norfolk, Neb.-based Faith Regional Health Services because Nebraska Medicine powers their EHRs.

5. More than 46 hospitals and health systems had patient information exposed in a security breach at Blackbaud, a company that stores donor information for organizations, including health systems. The breach occurred Feb. 7 to May 20 and the company notified organizations of the breach in July. Notably, the breach exposed information of more than 1 million individuals affiliated with Inova in Falls Church, Va. Some health systems reported only a few thousand individuals affected in the breach while others, like Danburry, Conn.-based Nuvance Health and Broomfield, Colo.-based SCL Health reported hundreds of thousands of individuals' information was exposed.