Cyberattack Aftermath: HSHS Hospital System and Prevea Health’s Road to Recovery

Nearly two weeks have passed since the Hospital Sisters Health System (HSHS) and Prevea Health were hit by a crippling cyberattack, and the road to recovery remains challenging. The HSHS hospital system and Prevea Health, a physician group that partners with HSHS on patient care, are working tirelessly to restore all services for their patients, but the aftermath of the cyberattack has had significant consequences.

Did You Receive A HSHS Or Prevea Notice Letter?

Did you receive notice from Hospital Sisters Health System (HSHS) or Prevea Health that your information was breached?
Do you still have a copy of the notice letter?

The troubles began on Sunday, August 27, when HSHS and Prevea first detected outages in their clinical and communication systems. In a video message posted on September 1, HSHS CEO Damond Boatwright confirmed that this was a result of a cybersecurity incident, leaving their hospital and clinical operations disrupted.

While hospitals and emergency rooms continue to receive patients, the cyberattack forced the postponement of some procedures and appointments. Patients can still schedule elective procedures, but access to online services like the MyChart portal for scheduling appointments and reviewing lab results has been temporarily suspended.

Phone and email service, which also experienced temporary disruptions, have been restored. However, due to the high call volume, patients have been facing long wait times and dropped calls when trying to reach clinics and hospitals.

HSHS is working closely with law enforcement and third-party experts to restore services and determine the extent of the breach. At this point, it is unclear whether patient data has been compromised, and it may take time to assess the full scope of the incident. Patients will be notified if their private information has been accessed by intruders.

Some patients have expressed concerns about potentially fraudulent bills, and there have been reports of individuals claiming to be from HSHS seeking payments. HSHS and Prevea assure patients that they are not collecting payments for outstanding bills at this time and will not charge late payment fees. However, some of their partners are sending out bills, so patients are urged to review them to ensure accuracy.

HSHS, which operates 15 hospitals in Illinois and Wisconsin, along with other care facilities, and Prevea, a multispecialty physician group based in Green Bay that works with six HSHS hospitals in Wisconsin, are doing their best to provide care even in the absence of electronic medical records and other vital technology tools.

The cyberattack on HSHS and Prevea is not an isolated incident, as more hospitals and health systems have fallen victim to cyberattacks and ransomware attacks in recent months. In the first half of 2023 alone, over 220 cyberattacks targeted healthcare institutions. This surge in cyberattacks is affecting a growing number of patients and their medical records. In the first half of 2023, an estimated 40 million Americans were affected by health data breaches, a concerning increase compared to 2021 when 58 million people were impacted by breaches throughout the year.

The Joint Commission has issued guidelines for hospitals to prepare for and respond to cyberattacks, emphasizing the need for response plans to provide services to patients, even if critical technology systems are down for extended periods.

Aside from the immediate threat to patient care, cyberattacks also come with significant financial costs. The average healthcare data breach costs nearly $11 million, as reported by IBM Security. As HSHS and Prevea continue their efforts to recover and restore their services, this incident serves as a stark reminder of the critical importance of cybersecurity and preparedness in the healthcare industry.