Cyberattack forces Ascension hospitals in Michigan to reroute patients

• Hackers on Wednesday broke into the patient health records and other systems at the Ascension hospital chain.
• That put at risk medical information at the health-care giant’s 15 Michigan hospitals and caused at least one to send arriving patients elsewhere.
• Patients should write down medications and symptoms, an Ascension spokesperson told Bridge Friday.

May 13: Ascension, owner of 15 Michigan hospitals, confirms cyberattack was ransomware

One of the nation's largest hospital chains remained under a cyber threat as the workweek closed — an attack that cut off access to the system’s electronic health records system, disrupted phones as well as scheduling and testing processes, and forced the rerouting of at least some Michigan patients. The attack also suspended some non-emergency elective procedures, tests and appointments.

What the weekend will hold is unclear.

Investigators are “working around the clock” to contain the breach and “restore our systems,” according to a statement by Ascension Thursday evening. “Our investigation and restoration work will take time to complete, and we do not have a timeline for completion.”

Ascension Michigan spokesperson Airielle Taylor said Friday the health system was “still detecting unusual activity.”

Related:

• Henry Ford, Ascension Michigan to partner in latest health care shift
• Experts: Henry Ford, Ascension Michigan venture likely to impact care, costs
• University of Michigan restores internet access, still mum on security issue

On Thursday, patients arriving at Ascension Macomb-Oakland Hospital were rerouted under a diversion protocol, Taylor said.

But such problems “fluctuated,” she said. Other locations were not under a diversion protocol, but it was not clear if that would change, she said.

She said patients are advised to “have your medications written down and have your symptoms written down.”

The problems began Wednesday when the St. Louis-based hospital system “detected unusual activity on select technology network systems,” determining it to be a “cybersecurity event,” according to a statement released early Thursday.

That included patient records on MyChart, which allows patients to see their records, schedule appointments and talk with providers.

Ascension advised that its business partners “temporarily suspend the connection to the Ascension environment” until further notice.

The chain on Thursday sought to reassure the public that Ascension staff “are trained for these kinds of disruptions and have initiated procedures to ensure patient care delivery continues to be safe and as minimally impacted as possible.”

The breach forced Ascension to divert patients from some locations throughout the 140-hospital system to other hospitals. Ascension has hospitals in 19 states, including 15 in Michigan. It also operates 40 senior living facilities.

The Ascension breach is the latest from a “constant threat and attack” by cyberattackers, said one cybersecurity expert that works with Michigan hospitals.

“Because it’s an ecosystem in which information is shared, it’s a system that can be vulnerable” to attack, said Eric Eder, president of CyberForce|Q, which operates the Michigan Healthcare Security Operations Center and works with the Michigan Health & Hospital Association, an effort in which hospitals and health-care systems share information as quickly as possible during a breach.

Eder declined to comment on the attack on Ascension. But speaking in generalities, he said attacks on health care are usually sophisticated and well-coordinated among many individuals, using bots and other automated means to search out a system’s vulnerabilities.

“There’s this image of the hacker over a laptop in a hoodie,” he said. 

Rather, “it’s a more coordinated effort with a mix of automated systems and human actors.”

Ascension is working with Mandiant, a third-party cybersecurity firm and subsidiary of Google, to assist in the investigation, according to its statement early Thursday.

Hospital officials said they were trying to determine “what, if any” information had been breached.

“Should we determine that any sensitive information was affected, we will notify and support those individuals in accordance with all relevant regulatory and legal guidelines,” according to Ascension’s statement.

It's the latest in bad news for the health-care giant, which in recent months has shed properties after reporting a $3 billion loss in 2023.

In October, Detroit-based Henry Ford Health and Ascension Michigan announced their “joint venture” in which eight Ascension properties in southeast and mid-Michigan will take on the Henry Ford Health identity. And in March, Ascension agreed to shed three more hospitals, selling locations in Saginaw, Tawas and Standish to Midland-based MyMichigan Health.