(NPR) It was early May in 2021 when patients flooded the emergency room at the University of California San Diego Health Center.
“We were bringing in backup staff, our wait times had gone haywire, the whole system was overloaded,” said Dr. Christopher Longhurst, UC San Diego’s chief medical officer and digital officer. “We felt it.”
But the crunch wasn’t the result of a massive accident or the latest wave of patients infected by a new coronavirus variant. The influx was the direct result of a ransomware attack, a costly and unfortunately now common form of cybercrime in which hackers lock down their victims’ files and demand a ransom, often millions of dollars, to unlock them.
In reality, UC San Diego wasn’t the target. Their systems were intact. Instead, hackers had breached the hospital down the street, Scripps Health. The culprits not only took over the hospital’s digital records system and its entire computer network, but stole millions of patients’ confidential data. Scripps struggled for weeks to get back online, and is still dealing with the aftermath, having paid $3.5 million in a legal settlement earlier this year with patients whose data was exposed.
Previously, there’s been very little concrete data or analysis breaking down the direct impacts of a cyberattack on a hospital, let alone an entire region of healthcare providers. Most evidence of harm, including deaths, remains anecdotal and has been the subject of lawsuits, including one case in Alabama in 2019 where a family sued the hospital when their baby died during a ransomware attack.
There are reasons for the dearth of data. There are liability concerns, privacy laws, fear for reputational damage and technical challenges. The Scripps attack was highly publicized, and the CEO Chris Van Gorder came forward to write an op-ed about lessons learned from the attack in the San Diego Tribune several months later. However, there are still limitations on how much Scripps can share. And victims of major ransomware attacks, hospitals and other entities are still extremely hesitant to come forward.
That’s where UC San Diego comes in.
In 2019, UC San Diego appointed the first medical director of cybersecurity, Dr. Christian Dameff. Dameff, who is also an emergency department doctor, joined a team of physicians and cybersecurity experts to study the impact of a ransomware attack on a neighboring hospital, using their experience in 2021. (The paper’s authors don’t identify Scripps Hospital as the victim of the nearby ransomware attack, in order to keep attention on their results, though contextual clues like the time period and location make it clear.) They published the results of their research in the peer-reviewed Journal of the American Medical Association in May.
The team of researchers at UC San Diego documented a massive influx of patients to the emergency room in the weeks following the breach. Compared to the weeks prior to the attack, there were over 600 additional patients waiting in the emergency room, while the number of patients leaving without being seen by a doctor more than doubled. There were more than double the number of confirmed strokes during the same time period, as well as nearby double the number of emergency stroke code activations, according to the paper.
The authors concluded that their findings proved that hospitals within close proximity to a victim of a ransomware attack experience serious resource constraints, “affecting time-sensitive care for conditions such as an acute stroke.”
Cyberattacks on hospitals “should be considered a regional disaster,” the authors wrote.
