, ,

Electronic health records go back online at Wisconsin Ascension hospitals

Ransomware attack in May forced Ascension hospitals to go offline while staff felt ‘tired and stressed,’ union leader says

Ascension Columbia St. Mary’s Hospital in Milwaukee
Ascension Columbia St. Mary’s Hospital in Milwaukee. Electronic records at Ascension facilities throughout Wisconsin are mostly back online following a ransomware attack in early May. Coburn Dukehart / Wisconsin Watch

Electronic health records at the health care company Ascension are back online at Wisconsin hospitals about a month after a cyber attack forced the company to go offline, a company spokesperson said Monday. 

The spokesperson told WPR most hospital departments, physician offices and clinics may now use electronic documentation, charting and ordering systems. Ascension is still working to restore “other ancillary technology systems.”

A union leader at Ascension St. Francis Hospital in Milwaukee recently told WPR’s “Wisconsin Today” what it was like for hospital staff members at the state’s 17 Ascension facilities to go back to pen and paper in the weeks after the May 8 cyber attack. 

Stay informed on the latest news

Sign up for WPR’s email newsletter.

This field is for validation purposes and should be left unchanged.

“For a lot of our nurses, they’ve never paper charted at all,” said Connie Smith, a charge capture coordinator and head of the Wisconsin Federation of Nurses and Health Professionals. “We were using forms that we pulled out of drawers that hadn’t seen the light of day in a long, long time.”

The May 8 cyber attack took down various electronic systems and records for about 140 Ascension hospitals nationwide. The company restored systems in Wisconsin over the weekend and has promised to restore access to these systems nationwide by Friday.

Outages led to longer wait times, concerns of patients missing appointments

Smith works in the surgery department of Ascension St. Francis Hospital. She said staff at every level of the hospital felt the disruptions and were “tired and stressed.” 

“It has been a tough challenge from our outpatient departments to our independent inpatient departments. Our emergency rooms. Even down to our cleaning staff and our kitchen workers,” she said. “The way we use the electronic record to get people dinner and lunch and breakfast, and to get our rooms tidied up or cleaned after somebody has left … all goes through that medical record.”

Smith said patients likely saw longer wait times after the cyber attack.

“I think there was some worry initially. Are these patients going to show up for their procedure knowing that we didn’t have their record? Or we would have patients show up, but they would have to wait,” she said. “Because within the first couple of days, we had to go back and get all kinds of orders that were initially there (but) were no longer available for us to see.”

Traffic speeds by FBI headquarters
In this Nov. 1, 2017, photo, traffic along Pennsylvania Avenue in Washington streaks past the Federal Bureau of Investigation headquarters building. In an alert Oct. 28, 2020, the FBI and other federal agencies warned that cybercriminals are unleashing a wave of data-scrambling extortion attempts against the U.S. health care system that could lock up their information systems. J. David Ake/AP Photo

Health economist says it’s normal that systems take weeks to return

Ascension said in a news release last month that it was the victim of a type of cyber attack called ransomware. 

In ransomware, someone uploads malicious software to an organization to deny access to files and then demand a ransom in exchange for not publishing the content of those files. In a hospital setting, these files could contain sensitive patient data that could lead to identity theft and fraud. 

The attack affected a portal for patients to see records and message providers called MyChart, The Washington Post reported. The attack also affected other phone services and systems for ordering tests, procedures and medications.

Health economist and University of Minnesota assistant professor Hannah Neprash studies ransomware attacks on health care facilities. She said when studying these hacks, she often sees electronic health records go down. 

“(This) is probably the single most common disruption that my team has observed when we looked across nearly 400 ransomware attacks in health care,” Neprash said. “The other thing is: It’s not uncommon to see cyber attacks cause these disruptions for multiple weeks.”

Neprash released a working paper in October looking at the effects of ransomware attacks on hospitals and patients. She found that ransomware attacks can affect if a patient lives or dies.

“Mortality goes up by about 1 to 2 percent. It doesn’t sound like much, but it’s already a pretty rare outcome,” Neprash said. “So, another way to say this is: If you are a patient who has the misfortune to be admitted to the hospital when that hospital gets hit by a ransomware attack, the chances that you walk out the door alive go down slightly, but significantly.”

Ascension, others face class-action lawsuits after attacks

In recent years, hospital systems nationwide have faced large-scale lawsuits following cyber attacks. At least six class-action lawsuits were filed against Change Healthcare following a cyber attack in February. Last year, HCA Healthcare was subject to a class-action lawsuit after a breach that could have affected up to 11 million patients.

Since the ransomware attack on May 8, at least two class-action lawsuits have been filed against Ascension. The lawsuits claim that the company failed to safeguard personal identifying information and protected health information.

Ascension has said it is investigating if hackers accessed patient data. 

“We are conducting a thorough investigation of the incident with the support of leading cybersecurity experts and law enforcement,” an Ascension spokesperson told WPR on Monday. “If we determine sensitive data was potentially exfiltrated or accessed, we will notify and support the affected individuals in accordance with all relevant regulatory and legal obligations.”

Smith, the union leader, offered some criticisms on how Ascension handled matters after the attack.

“Communication with staff could have been a lot better. We didn’t hear stuff for days … But the reality behind it is, we need staff,” Smith said. “We needed staff before this. And we need staff now.”

“They have been cutting back on the number of people that are in the facilities, and the time that they are taking to replace somebody has been so long,” she continued. “One more set of hands on that first day could have changed what is happening across the board.”

Neprash said she is unsure if Ascension should take responsibility in this attack.

“I wish I knew the right answer to that. But just the fact that we’re asking that question gets at some of this complexity and all the interconnectedness in health care,” Neprash said. “The fact that we don’t know who is in charge of keeping that information safe shows us why health care is so vulnerable.”