‘Universal Health Services’ (UHS) has been hit by Ryuk ransomware actors, who are apparently continuing independently from Conti following a short period of inactivity. As it happens, UHS is a Fortune 500 healthcare service provider with annual revenues of more than $11 billion, roughly 90,000 employees, and a large number of hospitals (more than 400) in both the United States and the UK.
UHS owns subsidiaries like Alpha Hospital Group, Ascend Health Corporation, Cygnet Health Care, Foundations Recovery Network, Palo Verde Behavioral Health, Psychiatric Institute of Washington, Psychiatric Solutions, Inc.
Related: A Volkswagen Dealership Has Been Hit by “Conti” Ransomware
All in all, this is a big entity in the field, and a ransomware attack against them is affecting a large number of people who are in need of medical services. According to the official UHS statement, the IT network across all of their facilities remains down following a security incident that took place during the weekend, but patient care continues to be delivered.
The personnel has reverted to using back-up processes like offline documentation systems, while the IT teams are working feverishly to restore network operations. Allegedly, no patient or employee data has been accessed or exfiltrated by hackers.
ZDNet attempted to confirm the operational status of various UHS hospitals and found that some of them were indeed down, whereas others reported having no network problems at all. A Reddit thread where users claim to work for UHS has been giving away details about the event since yesterday.
According to these posts, which we have no way to confirm, everything has gone to “paper” and manual logging, but no actual impact like patient deaths has been recorded yet. However, a process of EMS diversion has been put in place, so this will inevitably affect incoming urgent cases. Reportedly, the ransomware disabled AV tools on the Win10 boxes upon hitting them, and employees aren’t allowed to power up anything yet.
Daniel Normal, the senior solutions analyst at ISF, has provided us with the following comment on this security incidence: