Cyberattack targets networks of Vermont, New York hospitals

A cyberattack on the University of Vermont (UVM) Health Network this week negatively impacted systems at multiple hospitals in Vermont and New York, as hospitals across the country are facing a surge in both COVID-19 patients and cyber targeting. 

“The University of Vermont Health Network is working with the Federal Bureau of Investigation and the Vermont Department of Public safety to investigate a now confirmed cyberattack that has affected some of our systems,” the health care network said in a statement released Thursday. “We expect that it will take some time to restore and we are working as quickly as possible to return to normal operations.”

The cyberattack impacted networks at seven hospitals and health care centers, including three New York hospitals, three Vermont hospitals, and one Vermont hospice center.

The organizations were negatively impacted by the attack to varying degrees, with two hospitals experiencing delays in patient services, and the University of Vermont Medical Center in Burlington, Vt., being forced to reschedule some elective procedures that were previously set to take place on Thursday. 

“Staff are continuing to follow well-practiced standby procedures to ensure safe patient care,” the medical network said. “We understand the difficulty this causes for our patients and the community and apologize for the impact. There have been some changes to patient appointments and we are attempting to reach those patients who have been affected. We will continue to provide systems and patient service updates when they are available.”

The FBI’s Albany office confirmed its investigation into the attacks on the hospitals in a statement Thursday, declining to comment further than noting that “we are investigating a potential cyber attack at UVM health, along with our federal, state, and local partners.”

The attacks were made public the day after the FBI, the Department of Health and Human Services, and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) released a joint alert warning that cyber criminals had stepped up cyberattacks, in particular ransomware attacks, on hospitals. 

“CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers,” the agencies wrote in the alert. 

The agencies warned that the cybercriminals behind the attacks were deploying Ryuk malware, a ransomware virus that was involved in an attack on Pennsylvania-headquartered hospital chain Universal Health Services. All 250 of its U.S. healthcare facilities were negatively impacted by a ransomware attack earlier this month.

Multiple hospitals and healthcare groups in the U.S. have been targeted this week, including three hospitals in New York’s St. Lawrence County and Sky Lakes Medical Center in Oregon. 

Cyberattacks on hospitals have spiked during the COVID-19 pandemic, with cyber criminals eying the health care centers as vulnerable targets at a time when the pandemic has challenged the capacity of response efforts. 

According to research released Thursday by software group Check Point, there was a 71 percent increase in ransomware attacks against the U.S. health care sector in October alone, with Ryuk responsible for 75 percent of the attacks. The company noted that these numbers made the health care sector the No. 1 most targeted sector by ransomware.