UHS says recovery process complete for corporate data centers after cyberattack

The Pennsylvania-based chain was targeted by an apparent ransomware attack last week, leading to a network shutdown throughout all of its 250 U.S. facilities.
By Kat Jercich
12:10 PM

Universal Health Services issued a statement on Saturday morning saying it is continuing to recover from an IT security issue that led to a network shutdown throughout all its U.S. facilities.

"The recovery process has been completed for all servers at the corporate data center. All U.S. based inpatient facilities have connectivity established back to the corporate data center and are in process of securely connecting to those systems," said the King of Prussia, Pennsylvania-based chain in a statement on its website.

According to UHS, major information systems such as the electronic health record were not affected by the attack, and the company is focused on restoring connections to such systems.

Learn on-demand, earn credit, find products and solutions. Get Started >>

"In the meantime, our facilities are using their established back-up processes including offline documentation methods," the statement read.

UHS also specified details of the attack, saying that it was caused by malware. Outlets have reported that the incident appears to be consistent with the Ryuk ransomware.

The statement reiterated that the company has no indication that any patient or employee data has been accessed, copied or misused, and that none of its operations in the United Kingdom were affected.  


Computers at UHS first started to fail last weekend, meaning it's been more than a week since the chain's network was fully operational. 

UHS has said that all 250 facilities in the United States were affected by the attack, with some facilities reportedly forced to return to pen-and-paper documentation for patients.

Nurses told NBC News last week that they'd had difficulties with an online medication system, and a cardiologist at a UHS facility said in a CNN report that he'd had to cancel several surgeries, although patient safety isn't necessarily a problem. Still, the company stresses that patient care "continues to be delivered safely and effectively."

Earlier this year, the U.S. Department of Health and Human Services issued a warning about Ryuk, the ransomware that appears to be at play in this attack. Though it originated in North Korea, its updated attribution has been linked to Russian cybercriminal groups, as well as other threat actors. It's often deployed in conjunction with the trojans TrickBot and Emotet. It is known to be one of the most expensive ransomware families, with average ransom payment costs upwards of $80,000.

"Ryuk can be difficult to detect and contain as the initial infection usually happens via spam/phishing and can propagate and infect IoT/IoMT devices, as we’ve seen with UHS hospital phones and radiology machines," said Jeff Horne, chief security officer at Ordr, in a statement provided to Healthcare IT News this past week.

"Once on an infected host, it can pull passwords out of memory and then laterally moves through open shares, infecting documents and compromised accounts," Horne continued.


When it comes to ransomware attacks, cybersecurity experts told Healthcare IT News that health systems have a few options – and that a robust preparation plan is a vital part of the process.

"Modern response efforts should consist of appropriate backup storage procedures, planning for a when, not if, you were to get compromised," said Neal Dennis, threat intelligence specialist at Cyware.

Law enforcement agencies generally advise not paying the ransom – though, in some cases, the data being held hostage may be of high enough import to justify doing so. In June, UC San Francisco paid $1.14 million to decrypt data that, it said, was important to its academic work as a "university serving the public good."  


Ransomware use across industries surged in 2019, with no foreseeable slowdown in the future.

"Ransomware keeps making headlines as researchers warn of a sevenfold increase compared to last year," said Horne.

Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Email: kjercich@himss.org
Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.