News, Analysis, Trends, Management Innovations for
Clinical Laboratories and Pathology Groups

Hosted by Robert Michel

News, Analysis, Trends, Management Innovations for
Clinical Laboratories and Pathology Groups

Hosted by Robert Michel
Sign In

Becker’s Health IT Releases Lists of Providers That Paid the Most for Their EHRs

New EHR installations may require new laboratory information system upgrades and interfaces

Electronic health record (EHR) systems continue to be one of the costliest investments healthcare providers can make. And the company that holds the largest portion of the EHR market is Epic, with anywhere from 36% to 44%, according to various published reports and research briefs.

Healthcare executives remorseful about the cost of their hospital’s EHR may take solace in Becker’s Health IT’s recent list of the “most expensive” Epic EHR installations. It is common for the largest projects to cross the $1 billion mark.

Clinical laboratory leaders tasked with interfacing their hospital’s laboratory information system (LIS) with their healthcare system’s EHR may find the following information useful. The investment in time begins months before the actual EHR implementation.

One example is Lake Charles Memorial Health System (LCMHS) Lake Charles, La. In a blog post, the health system reported that it took 18 months for its physicians, clinicians, and staff to prepare for the installation of their new Epic MyChart EHR.

“There are lots of things we wish our customers would do to make sure their system runs well. Making sure every user is trained, for example. Putting in upgrades quickly. Making sure that the hardware runs fast enough,” wrote Judy Faulkner, Epic founder and CEO, in an Epic blog post.

“The LCMHS staff and physicians have championed this project from the beginning, and I have them to thank for the success of this EMR transition and look forward to seeing the positive impacts as we settle into the operational changes and new experiences Epic brings Lake Charles Memorial Health System and those we serve,” said Devon Hyde (above), President and CEO of Lake Charles Memorial Health System, about the provider’s transition to a new Epic MyChart EHR. (Photo copyright: Lake Charles Memorial Health System.)

Top 10 Most Expensive Epic EHR Installs of 2024

While Becker’s noted that the following compilation is “not an exhaustive list,” here’s its list of the top 10 most expensive Epic EHR projects based on publicly available sources.

  1. Northwell Health, New Hyde Park, N.Y.:                                          $1.2 billion
  2. Trinity Health, Livonia, Mich.:                                                          $800 million
  3. AdventHealth, Altamonte Springs, Fla.:                                            $660 million
  4. Memorial Hermann Health System, Houston:                                   $500 million
  5. UAB Health System, Birmingham, Ala.:                                           $380 million
  6. Broward Health, Fort Lauderdale, Fla.:                                             $250 million
  7. Wellstar Health System, Marietta, Ga.:                                              $175 million
  8. Health First, Rockledge, Fla.:                                                             $160 million
  9. Sarasota Memorial Health Care System, Sarasota, Fla.:                    $160 million
  10. MultiCare Health System, Tacoma, Wash.:                                       $50 million

Largest Epic EHR Projects Ever

Beyond 2024, here are the “largest Epic EHR projects of all time,” Becker’s Health IT reported separately based on publicly available sources:

  1. Kaiser Permanente, Oakland, Calif:                                                   $4 billion
  2. Mayo Clinic, Rochester, Minn.:                                                         $1.5 billion
  3. Mass General Brigham, Somerville, Mass.:                                       $1.2 billion
  4. Northwell Health, New Hyde Park, N.Y.:                                          $1.2 billion
  5. NYC Health and Hospitals, New York, N.Y.:                                   $1 billion
  6. Sutter Health, Sacramento, Calif.:                                                      $1 billion
  7. New York-Presbyterian, New York, N.Y.:                                        $964 million
  8. Providence, Renton, Wash.:                                                               $800 million   
  9. Trinity Health, Livonia, Mich.:                                                          $800 million
  10. Duke University Health, Durham, N.C.:                                            $700 million
  11. UMass Memorial Health, Worcester, Mass.:                                     $700 million   

Training Key for New EHR: Report

According to a report by research firm KLAS titled, “EHR Implementations 2025: Investing in People to Avoid Pitfalls and Ensure Clinical Success,” in addition to the “tremendous financial undertaking,” healthcare organizations also face implementation challenges following EHR installations.

KLAS reported that among the healthcare leaders KLAS interviewed:

  • 27% had “an above-average EHR post-implementation” likely due to “providing technological foundation needed” at go-live, while,
  • 40% said implementation of the EHR “had significant misses” and,
  • 22% reported “average satisfaction with room for improvement.”

Providing staff with adequate training may smooth the way for new EHRs, according to the KLAS report. “Often, leaders wish they had invested in more training time and workflow-specific training in the context of patient care,” the authors wrote.

New EHR May Mean New LIS

Pathologists and clinical laboratory leaders may need to transition the laboratory information system (LIS) when the healthcare organization moves to a new EHR. At the very least, new interfaces will be required.

While a new EHR and LIS requires significant investments, they also provide opportunities for needed upgrades, competitive advantage, and security.           

—Donna Marie Pocius

Lehigh Valley Health Network Agrees to Pay $65 Million Class Action Settlement to Patients after Ransomware Attack

Lawsuit is a strong reminder that clinical laboratories and pathology groups must take whatever steps necessary to secure their patients’ protected health information

Lehigh Valley Health Network (LVHN), one of the largest primary care groups in Pennsylvania, will pay out $65 million to settle a class-action lawsuit brought by the healthcare network’s own patients (identified only as “Jane Doe” in court documents) following a ransomware attack early last year in which LVHN refused to pay the ransom.

The payout may be the largest settlement for a single cyberattack to date and highlights the need for clinical laboratories and pathology groups to review their cyberattack defenses and incorporate steps to better secure patient protected health information (PHI), with one goal being to minimize the possibility of patients filing a class action lawsuit following a cyberattack.

LVHN blamed ransomware group ALPHV (a.k.a., BlackCat) for the attack, Fierce Healthcare reported. The hackers gained access to gigabytes of personal data belonging to 134,000 patients and staff members.

According to a news release LVHN issued in June, the private information the thieves obtained included, “names, addresses, phone numbers, medical record numbers, treatment and diagnosis information, including Current Procedural Terminology (CPT) codes, and health insurance information. For some individuals, the information included email addresses, banking information, Social Security numbers, and driver’s license numbers. The information for a limited number of individuals included clinical images of patients during treatment.”

The case is worth attention because it casts light on what the health system administration did/did not do to prevent the data breach that enabled the hackers to post nude photos of cancer patients undergoing treatment and other patient PHI on the Internet.

“When you go to the doctor’s office, that’s one place where you’re anticipating that everyone is working to maintain your privacy, even though you have to open yourself up to be treated,” said Patrick Howard, JD (above), partner at Philadelphia-based Saltz Mongeluzzi Bendesky P.C., who is representing the plaintiffs in the class action lawsuit. “It wasn’t lost on anyone that that was a very significant breach.” Clinical laboratories are particularly vulnerable since as much as 80% of a patient’s health record is lab test results and other data. (Photo copyright: Saltz Mongeluzzi Bendesky P.C.)

Lawsuit Details

The class action lawsuit was filed in March 2023 by a “Jane Doe” cancer patient whose data was hacked on behalf of herself and other victims of the cyberattack. The court documents recount how the unidentified plaintiff—a woman in her 50s—was “called by the hospital’s vice president of compliance on March 6, with news that that naked images of her were now online, before offering—‘with a chuckle’—two years of credit monitoring services. The Jane Doe plaintiff responded that she had no idea that the hospital had taken photographs of her while unclothed during her treatment for breast cancer, nor that it was storing them on corporate servers.”

“The pictures are really difficult to look at,” said Patrick Howard, JD, partner at Philadelphia-based Saltz Mongeluzzi Bendesky P.C. (SMB), who is representing the plaintiffs, in a news release. His legal team hired a cybersecurity expert who located the images the hackers had posted on the Dark Web, enabling them to “establish each person’s information that was actually online.”

The plaintiff’s attorney’s argued LVHN failed in its responsibility to protect patient information and were in violation of HIPAA (Health Insurance Portability and Accountability Act of 1996).

The class action lawsuit also alleges LVHN routinely took photos of naked cancer patients, sometimes without their knowledge. Some of those photos were published by BlackCat on the Dark Web. 

“While LVHN is publicly patting itself on the back for standing up to these hackers and refusing to meet their ransom demands, they are consciously and intentionally ignoring the real victims,” the lawsuit states. “Rather than act in their patients’ best interest, LVHN put its own financial considerations first.”

The law firm also stated this settlement is “the largest of its kind, on a per-patient basis, in a healthcare data breach ransomware case,” The Register reported.

Patients affected by the security breach were placed in relief tiers based on the private information that was stolen and leaked. The compensatory breakdown for those patients is:

  • $50 to patients whose records were hacked.
  • $1,000 to patients who had their information posted online.
  • $7,500 to patients whose non-nude photos were posted online.
  • $70,000 to $80,000 for patients who had their nude photos posted online.

“We struck the right deal,” Howard told WHYY News. “The vast majority of that money is going to mostly women whose images were published online, in topless fashion, with both their face exposed and their name in the files.”

Game Changing Data Breach

LVHN originally announced an attack had been detected in February 2023. On March 4, 2023, the ALPHV hackers demanded a ransom in excess of $5 million from LVHN, threatening to distribute the stolen data unless the ransom was paid. LVHN refused to pay the ransom which led to the cybercriminals uploading the stolen data to the Dark Web. 

“Attacks like this are reprehensible and we are dedicating appropriate resources to respond to this incident,” stated Brian Nester, DO, President and CEO, LVHN, in a news release.

“The type of data that was exposed, it’s a game changer,” said Carter Groome, founder and CEO of digital-risk firm First Health Advisory in the SMB news release. “This was so much more of a tangible, direct distress to those people who trusted the organization.”

“Pictures are part of medical care. That’s something that they do to track scarring and all sorts of things. But they are the most delicate and sensitive medical information,” Howard told WHYY News. “I think this case will be talked about in healthcare circles for some time in best practices in storing those types of images.”

Patients had until October 21, 2024, to exclude themselves from or object to the settlement. The deadline to submit a claim form was November 3, 2024, and the final approval hearing was held on November 15, 2024.

LVHN agreed to the terms of the settlement, whilst denying any wrongdoing on its part. Individuals in the settlement class who chose to participate in the lawsuit will be sent payment automatically.

LVHN has established a website for people seeking information about the cyberattack. 

As ransomware attacks continue to increase, clinical laboratories and pathology groups should review their cyberattack defenses and determine how to better secure their patients’ protected health information. Taking necessary precautions could minimize the possibility of patient data being compromised and prevent another huge class-action lawsuit.                     

—JP Schlingman

Related Information:

Lehigh Valley Health Network Issues Cyber Incident Notification

Lehigh Valley Health Network Agrees to $65M Settlement over Ransomware Attack That Leaked Nude Photos

Lehigh Valley Health Network Data Breach Lawsuit Settled for $65 Million

Healthcare Giant to Pay $65M Settlement after Crooks Stole and Leaked Nude Patient Pics

LVHN to Pay $65M after Cyberattack, Cancer Patients’ Photos Posted on Dark Web

A Message from Brian A. Nester, DO, MBA, President and CEO, Lehigh Valley Health Network

Patients at Center of Data Breach Case Win $65M Settlement against Lehigh Valley Health Network

Health System to Pay $65 Million after Hackers Leaked Nude Patient Photos

American Associated Pharmacies Struck by Ransomware Attack

Nearly One Million Patient Records of Hospitals, Health Clinics, Medical Laboratories, and other Providers Stolen in Ransomware Attack on Medical Records Company

American Associated Pharmacies Struck by Ransomware Attack

Clinical laboratories and anatomic pathology groups should consider these cyberattacks on major healthcare entities as reminders that they should tighten their cybersecurity protections

Hackers continue to gain access to public health records—including clinical laboratory testing data—putting thousands of patients’ protected health information (PHI) at risk of being exposed. The latest important healthcare entity to become the victim of a ransomware attack is American Associated Pharmacies (AAP). According to The Register, AAP announced a ransomware operation called Embargo had stolen over 1.4 terabytes (TB) of data, encrypted those files, and demanded $1.3 million to decrypt the data.

Embargo claims that Scottsboro, Ala.-based AAP paid $1.3 million to have its systems restored. They are now demanding an additional $1.3 million to keep the stolen data private, the HIPAA Journal reported, adding, “The attack follows ransomware attacks on Memorial Hospital and Manor, an 80-bed community hospital and 107 long-term care facility in Georgia, and Weiser Memorial Hospital, a critical access hospital in Idaho.”

AAP has not publicly confirmed the ransomware attack, nor has it made an official statement regarding the breach. But it did post an “Important Notice” on its website reporting, “limited ordering capabilities for API Warehouse have been restored at APIRx.com.”

API Warehouse is a subsidiary of AAP that helps subscribers save on brand name and generic prescriptions via wholesale purchasing plans. It oversees more than 2,000 independent pharmacies across the US and has over 2,500 stock keeping units (SKUs) in its inventory.

The message further states “All user passwords associated with both APIRx.com and RxAAP.com have been reset, so existing credentials will no longer be valid to access the sites. Please click ‘forgot password’ on the log in screen and follow the prompts accordingly to reset your password.”

“Embargo seems to have international and multi-sector victims and is not focusing on a specific victim profile. They seem opportunistic,” Mike Hamilton (above), founder and chief information security officer (CISO) of cybersecurity firm Critical Insight, told HealthcareInfoSecurity. “However, as they do have multiple victims in healthcare, and their tooling to disable detection is sophisticated, they should not be discounted. If indeed they operate through affiliates, we can expect others to use their infrastructure and tools, and Embargo may emerge as a top threat to healthcare.” Since 80% of all medical records are made up of clinical laboratory testing data, laboratory patients are particularly vulnerable. (Photo copyright: Critical Insight.)

Embargo on the Hunt for PHI

Due to the large amount of data Embargo stole from the AAP servers, it’s likely the hackers were able to procure medical records and account details from all customers of the pharmacies involved in the attack. 

Researchers at ESET, an internet security company, first noticed the ransomware organization known as Embargo in June of this year. In a news release, ESET stated that Embargo used an endpoint detection and response (EDR) killer toolkit to steal AAP’s data. 

“Based on its modus operandi, Embargo seems to be a well-resourced group. It sets up its own infrastructure to communicate with victims. Moreover, the group pressures victims into paying by using double extortion: the operators exfiltrate victims’ sensitive data and threaten to publish it on a leak site, in addition to encrypting it,” ESET wrote in a news release.

Embargo recently attacked other organizations within the healthcare industry as well. In November, it claimed responsibility for breaching the security of Memorial Hospital and Manor in Bainbridge, Ga. The cyberattack affected Memorial’s email and electronic medical record (EHR) systems, which caused the facility to pivot to a paper-based system, The Cyber Express reported. 

Embargo’s attack on Weiser Memorial Hospital in Weiser, Idaho, involved the theft of approximately 200 gigabytes (GB) of sensitive data and caused a four-week-long outage of its computer systems.  

Other Cyberattacks on Healthcare Organizations

Dark Daily has covered many cyberattacks on hospital health systems in multiple ebriefs over the past few years.

In “Cyberattack Renders Healthcare Providers across Ascension’s Hospital Network Unable to Access Medical Records Endangering Patients,” we summarized how Ascension’s inability to access medical records during the attack caused major disruptions to patient healthcare. It took more than a month for Ascension’s electronic health record system to be fully restored.

In “Change Healthcare Cyberattack Disrupts Pharmacy Order Processing for Healthcare Providers Nationwide,” Dark Daily outlined how a February cyberattack on Change Healthcare caused its parent organization UnitedHealth Group to file a Material Cybersecurity Incidents Report (form 8-K) with the US Securities and Exchange Commission (SEC) in which it stated it had “identified a suspected nation-state associated cybersecurity threat actor [that] had gained access to some of the Change Healthcare information technology systems.”

A few days later the real identity of the threat actor was revealed to be a ransomware group known as BlackCat (aka, ALPHV), according to Reuters.

And in, “Continued Cyberattacks on Hospitals, Clinical Laboratories, and Other Providers Cause Closures as Hackers Grow in Sophistication,” we reported how hospitals of all sizes continue to be prime targets for sophisticated cyberattacks, where hackers remotely disable a healthcare network’s computer systems—including its clinical laboratory information system (LIS)—and extort ransomware payments.

Safeguarding patient data is critical, and more healthcare organizations are discovering the hard way that they are vulnerable to hackers. This situation serves as another reminder to clinical laboratory and pathology group managers that they need to be proactive and serious about protecting their information systems, and in upgrading their digital security at regular intervals.

Hackers are working hard to obtain access to protected health information, which puts patients at continuous risk of having their private records stolen.

—JP Schlingman

Related Information:

Ransomware Fiends Boast They’ve Stolen 1.4TB from US Pharmacy Network

Another Major US Healthcare Organization Has Been Hacked, with Potentially Major Consequences

Gang Shaking Down Pharmacy Group for Second Ransom Payment

US Pharmacy Network Loses 1.4 Terabytes of Data to Boasting Hackers

New Ransomware Group Embargo Uses Toolkit That Disables Security Solutions, ESET Research Discovers

Embargo Ransomware Group Claims Attack on American Associated Pharmacies

American Associated Pharmacies Resets All User Passwords after Ransomware Gang Claims Responsibility for Cyberattack

Ransomware Attack Disrupts Memorial Hospital’s EHR System, Temporarily Slows Operations

Weiser Memorial Hospital Investigating Cyberattack

Hospital Deals with IT Outage for 4 Weeks

Healthcare Cyberattacks at Two Hospitals Prompt Tough Decisions as Their Clinical Laboratories Are Forced to Switch to Paper Documentation

Three Federal Agencies Warn Healthcare Providers of Pending Ransomware Attacks; Clinical Laboratories Advised to Assess Their Cyberdefenses

IT Experts Demonstrate How AI and Computer Microphones Can Be Used to Figure Out Passwords and Break into Customer Accounts

Clinical laboratories and pathology groups should be on the alert to this new digital threat; telehealth sessions and video conferencing calls particularly vulnerable to acoustic AI attacks

Banks may be the first to get hit by a new form of hacking because of all the money they hold in deposit accounts, but experts say healthcare providers—including medical laboratories—are comparably lucrative targets because of the value of patient data. The point of this hacking spear is artificial intelligence (AI) with increased capabilities to penetrate digital defenses.

AI is developing rapidly. Are healthcare organizations keeping up? The hackers sure are. An article from GoBankingRates titled, “How Hackers Are Using AI to Steal Your Bank Account Password,” reveals startling new AI capabilities that could enable bad actors to compromise information technology (IT) security and steal from customers’ accounts.

Though the article covers how the AI could conduct cyberattacks on bank information, similar techniques can be employed to gain access to patients’ protected health information (PHI) and clinical laboratory databases as well, putting all healthcare consumers at risk.

The new AI cyberattack employs an acoustic Side Channel Attack (SCA). An SCA is an attack enabled by leakage of information from a physical computer system. The “acoustic” SCA listens to keystrokes through a computer’s microphone to guess a password with 95% accuracy.

That’s according to a UK study published in IEEE Xplore, a journal of the IEEE European Symposium on Security and Privacy Workshops, titled, “A Practical Deep Learning-Based Acoustic Side Channel Attack on Keyboards.”

“With recent developments in deep learning, the ubiquity of microphones and the rise in online services via personal devices, acoustic side channel attacks present a greater threat to keyboards than ever,” wrote UK study authors Joshua Harrison, MEng, Durham University; Ehsan Toreini, University of Surrey; and Maryam Mehrnezhad, PhD, University of London.

Hackers could be recording keystrokes during video conferencing calls as well, where an accuracy of 93% is achievable, the authors added.

This nefarious technological advance could spell trouble for healthcare security. Using acoustic SCA attacks, busy healthcare facilities, clinical laboratories, and telehealth appointments could all be potentially compromised.

“The ubiquity of keyboard acoustic emanations makes them not only a readily available attack vector, but also prompts victims to underestimate (and therefore not try to hide) their output,” wrote Joshua Harrison, MEng (above), and his team in their IEEE Xplore paper. “For example, when typing a password, people will regularly hide their screen but will do little to obfuscate their keyboard’s sound.” Since computer keyboards and microphones in healthcare settings like hospitals and clinical laboratories are completely ubiquitous, the risk that this AI technology will be used to invade and steal patients’ protected health information is high. (Photo copyright: CNBC.)

Why Do Hackers Target Healthcare?

Ransomware attacks in healthcare are costly and dangerous. According to InstaMed, a healthcare payments and billing company owned by J.P. Morgan, healthcare data breaches increased to 29.5% in 2021 costing over $9 million. And beyond the financial implications, these attacks put sensitive patient data at risk.

Healthcare can be seen as one of the most desirable markets for hackers seeking sensitive information. As InstaMed points out, credit card hacks are usually quickly figured out and stopped. However, “medical records can contain multiple pieces of personally identifiable information. Additionally, breaches that expose this type of data typically take longer to uncover and are harder for an organization to determine in magnitude.”

With AI advancing at such a high rate, healthcare organizations may be unable to adapt older network systems quickly—leaving them vulnerable.

“Legacy devices have been an issue for a while now,” Alexandra Murdoch, medical data analyst at GlobalData PLC, told Medical Device Network, “Usually big medical devices, such as imaging equipment or MRI machines are really expensive and so hospitals do not replace them often. So as a result, we have in the network these old devices that can’t really be updated, and because they can’t be updated, they can’t be protected.”

Vulnerabilities of Telehealth

In “Penn Medicine Study Shows Telemedicine Can Cut Employer Healthcare Costs by 25%,” Dark Daily reported a study conducted by the Perelman School of Medicine at the University of Pennsylvania (Penn Medicine) which suggested there could be significant financial advantages for hospitals that conduct telehealth visits. This, we projected, would be a boon to clinical laboratories that perform medical testing for telemedicine providers.

But telehealth, according to the UK researchers, may also be one way hackers get past safeguards and into critical hospital systems.

“When trained on keystrokes recorded using the video-conferencing software Zoom, an accuracy of 93% was achieved, a new best for the medium. Our results prove the practicality of these side channel attacks via off-the-shelf equipment and algorithms,” the UK researchers wrote in IEEE Xplore.

“[AI] has worrying implications for the medical industry, as more and more appointments go virtual, the implications of deepfakes is a bit concerning if you only interact with a doctor over a Teams or a Zoom call,” David Higgins, Senior Director at information security company CyberArk, told Medical Device Network.

Higgins elaborated on why healthcare is a highly targeted industry for hackers.

“For a credit card record, you are looking at a cost of one to two dollars, but for a medical record, you are talking much more information because the gain for the purposes of social engineering becomes very lucrative. It’s so much easier to launch a ransomware attack, you don’t even need to be a coder, you can just buy ransomware off of the dark web and use it.”

Steps Healthcare Organizations Should Take to Prevent Cyberattacks

Hackers will do whatever they can to get their hands on medical records because stealing them is so lucrative. And this may only be the beginning, Higgins noted.

“I don’t think we are going to see a slowdown in attacks. What we are starting to see is that techniques to make that initial intrusion are becoming more sophisticated and more targeted,” he told Medical Device Network. “Now with things like AI coming into the mix, it’s going to become much harder for the day-to-day individual to spot a malicious email. Generative AI is going to fuel more of that ransomware and sadly it’s going to make it easier for more people to get past that first intrusion stage.”

To combat these attacks patient data needs to be encrypted, devices updated, and medical staff well-trained to spot cyberattacks before they get out of hand. These SCA attacks on bank accounts could be easily transferable to attacks on healthcare organizations’ patient records.

Clinical laboratories, anatomic pathology groups, and other healthcare facilities would be wise to invest in cybersecurity, training for workers, and updated technology. The hackers are going to stay on top of the technology, healthcare leaders need to be one step ahead of them.

—Ashley Croce

Related Information:

How Hackers Are Using AI to Steal Your Bank Account Password

A Practical Deep Learning-Based Acoustic Side Channel Attack on Keyboards

AI Can Steal Passwords with 95% Accuracy by ‘Listening’ to Keystrokes, Alarming Study Finds

New ‘Deep Learning Attack’ Deciphers Laptop Keystrokes with 95% Accuracy

Can A.I. Steal Your Password? Study Finds 95% Accuracy by Listening to Keyboard Typing

Ransomware in Healthcare: What You Need to Know

Hospital 2040: How Healthcare Cybercrime is Predicted to Escalate

30 Crucial Cybersecurity Statistics (2023): Data, Trends and More

Penn Medicine Study Shows Telemedicine Can Cut Employer Healthcare Costs by 25%

Healthcare Cyberattacks at Two Hospitals Prompt Tough Decisions as Their Clinical Laboratories Are Forced to Switch to Paper Documentation

Recent intrusions into the hospitals’ IT systems resulted in blocked medical records including medical laboratory data

Healthcare cyberattacks continue to be a threat that bring potentially costly business consequences for clinical laboratories. Just in the past month, two hospital systems had their health information technology (HIT) systems disrupted due to security incidents. In response, the hospitals’ medical laboratories were forced to switch from digital to paper documentation and, in at least one case, the organization reportedly had difficulty accessing electronic laboratory test results.

The incidents took place at 772-bed Tallahassee Memorial HealthCare (TMH) in Florida and 62-bed Atlantic General Hospital (AGH) in Berlin, Maryland.

At Tallahassee Memorial, an “IT security issue” on Feb. 2 resulted in the organization shutting down its IT systems for 13 days, including at its clinical laboratory. The hospital’s computer network went back online on Feb. 15, according to a news release.

At Atlantic General Hospital, according to an AGH news release, IT personnel discovered a ransomware attack on Jan. 29 that affected the hospital’s central computer system. As a result, the walk-in outpatient laboratory was closed until Feb. 14.

These recent cyberattacks underscore the importance for clinical laboratory leaders to have plans and procedures already in place prior to a disruption in access to critical patient data.

Ben Denkers

Healthcare cyberattacks can be a “complete blindside for a lot of organizations that think they have protections in place because they bought a product or they developed a policy,” said Ben Denkers (above), Chief Innovation Officer at CynergisTek, an Austin, Texas-based cybersecurity company, in an exclusive interview with The Dark Report. Since clinical laboratory test results make up about 80% of a patient’s medical records, disruption of a hospital’s IT network can be life threatening. (Photo copyright: The Dark Report.)

Laboratory Staff Unable to View Digital Diagnostic Results at Tallahassee Memorial

Though the exact nature of the incident at Tallahassee Memorial HealthCare has not been divulged, hospital officials did report the incident to law enforcement, which suggests a cyberattack had occurred.

Electronic laboratory test results were among the casualties of the IT difficulties at TMH. “Staff have been unable to access digital patient records and lab results because of the shutdown,” a source told CNN.

Attempts by Dark Daily to reach a medical laboratory manager for comment at TMH were unsuccessful. However, in a news release posted online shortly after the cyberattack, the health system advised staff members on dealing with the IT outages.

“Patients and families may notice the switch to paper documentation during registration, admission, or during their care, as our providers will be using paper forms, prescription pads, handwritten notes, or other similar paper methods where they may usually use an electronic process,” the news release stated. “We apologize for any delays this may create. We practice for situations like this, and we are prepared to provide safe, high-quality care to our patients during computer system downtimes.”

Atlantic General Hospital Reports Ransomware Incident to the FBI

At Atlantic General Hospital, the outpatient walk-in laboratory and outpatient imaging department both temporarily closed because of the ransomware attack.

Staff members throughout the hospital were “forced to manually check patients in and out of appointments and record all other information by hand instead of online,” Ocean City Today reported.

The hospital immediately informed the FBI of the ransomware incident and continues to work with an incident response team to determine whether criminals accessed any sensitive data. It was not clear whether the organization ultimately paid a ransom to unlock its systems.

The hospital’s medical laboratory director did not respond to an email from Dark Daily seeking further comment.

Healthcare Cyberattacks Attempt to Gain Access to Data

As we covered in “Ransomware Strikes Hospitals, Clinical Laboratories, and Medical Clinics without Warning and Is Now a Major Threat to all Healthcare Organizations,” healthcare organizations have increasingly been a target of cybercriminals and hackers who are after valuable patient data. For example, the healthcare and public health sector accounted for 25% of ransomware complaints as of October 2022, according to data from the FBI, as reported by the federal Cybersecurity and Infrastructure Security Agency.

Therefore, it is critical that clinical laboratory and hospital staff work with their IT counterparts to verify that technology and processes are in place to protect access to patient data.

In “Labs Must Audit Their Cybersecurity Measures,” Ben Denkers, who at that time was Chief Innovation Officer at CynergisTek, a cybersecurity firm based in Austin, Texas, told The Dark Report, “Testing, validating, and auditing whether measures are working as designed is a change of mentality for a lot of organizations.” (If you don’t subscribe to The Dark Report, try our free trial.)

An IT network attack is an attempt by a cybercriminal to gain unauthorized access to devices that contain and exchange data within an organization. Although this information may be on individual devices or on servers, network attacks are often only possible after a hacker enters a system through an endpoint, such as an individual’s email inbox.

“It’s important to understand that while the network server itself might have ultimately been the target, that doesn’t necessarily mean that it was compromised first,” Denkers told The Dark Report. “Phishing is a perfect example of a way an attacker could first gain access to a workstation, and then from there move laterally to a server.”

The final cost of a healthcare cyberattack often exceeds the ransom. Media coverage can lead to an organization’s diminished reputation within the community, and if protected health information (PHI) is accessed by the criminals, a hospital or health system may need to pay for identity theft monitoring for affected patients.

There also are regulatory repercussions that can be costly depending on the circumstances surrounding a cyberattack. For example, on Feb. 2, the US Department of Health and Human Services’ Office for Civil Rights announced a settlement with Banner Health Affiliated Covered Entities (Banner Health), a nonprofit health system headquartered in Phoenix, to resolve a data breach resulting from a hacking incident in 2016. That incident disclosed PHI for 2.81 million patients.

As part of the settlement, Banner Health paid a $1.25 million penalty and will carry out a corrective action plan to protect PHI in the future and resolve any alleged HIPAA violations, according to the HHS Office for Civil Rights.

This hefty penalty is a reminder to pathologists and clinical laboratory managers that—when it comes to cyberattacks—the classic adage “an ounce of prevention is worth a pound of cure” is appropriate advice.

—Scott Wallask

Related Information:

FBI Working with TMH to “Assess the Situation;” Computers Still Offline after Cyber Incident

TMH: Progress on IT Security Event Wednesday, Feb. 15, 2023

Tallahassee Memorial Managing IT Security Issue

CISA: Alert (AA22-294A)

Apparent Cyberattack Forces Florida Hospital System to Divert Some Emergency Patients to Other Facilities

Atlantic General Mum on Ransomware Event Details after System Are Restored

Atlantic General Hospital System Still Down Following Ransomware Attack

Atlantic General Hospital Fully Operational Following Cybersecurity Event

Nearly One Million Patient Records of Hospitals, Health Clinics, Medical Laboratories, and other Providers Stolen in Ransomware Attack on Medical Records Company

;