Computer systems at Universal Health Services Inc., one of the nation’s largest hospital chains, were taken offline after a malicious software attack crippled the company’s computers and led it to cancel some surgeries and divert some ambulances.
The company took down systems used for medical records, laboratories and pharmacies across about 250 U.S. facilities Sunday to halt further spread of the malware attack, Universal Health President Marc Miller said in an interview Monday evening.
The outage caused no harm to patients, he said, adding that the company is investigating any reports of patients at risk. No patient or employee data appears to have been accessed, he said.
Mr. Miller declined to describe the nature of the malware. People familiar with the incident said it was a ransomware attack.
In a ransomware attack, hackers typically exploit computer vulnerabilities to install their software on a targeted computer network. The attackers then encrypt the data, making it unreadable, but they promise to unlock the system for a payment.
Ransomware attacks have become the biggest cyber threat facing corporations, said Charles Carmakal, a vice president with the cybersecurity company FireEye Inc. “They are causing a lot of havoc to organizations,” he said.
Based in King of Prussia, Pa., Universal Health operates facilities covering a range of services from psychiatric hospitals to emergency rooms to outpatient centers. The company also runs health-care facilities in Britain.
Universal Health’s U.K. hospitals weren’t hit by the attack, and networks there continue to operate, Mr. Miller said.
Where systems were affected, health-care workers switched to paper records for patients, he said, using protocols for events when computers are down, such as during maintenance. The company backs up its pharmacy records every 24 hours and has already restored some of its network, Mr. Miller said, while adding it is unclear how long it will take to fully recover from the attack.
Mr. Miller said that Universal Health is cooperating with the Federal Bureau of Investigation on the matter. An FBI spokeswoman didn’t immediately have a comment on the incident.
UHS this month said that CEO and company founder Alan Miller would retire from the post in January, while retaining the role of executive chairman. It appointed Marc Miller to serve as the next chief executive of the company that had about $11.4 billion in revenue last year.
The health-care facilities provider, in its latest annual report, warned that a cybersecurity incident could put it at risk of breaching U.S. health privacy rules known as HIPAA and could pose a risk of financial and reputational damage.
Under HIPAA, a malware attack that exposes patients’ personal health information could require hospitals to publicly disclose the breach, said Mark Barnes, a partner at the law firm Ropes & Gray LLP. Hospitals also face fines for privacy and security violations under the law. Ransomware attacks are a potential HIPAA violation, under guidance issued by federal health officials, Mr. Barnes said.
Hospitals are increasingly dependent on information technology after more than a decade of investment to expand use of computer medical records and growing numbers of networked medical devices. Those developments have made the sector highly vulnerable to malware, along with other industries at high risk of cyberattacks, such as banks, Moody’s Investors Service said last year.
Mr. Miller said that the hackers that attacked Universal Health Services used a previously unknown technique to break into the company’s computer systems. He declined to say whether the hackers had requested payment from the company.
Ransomware attacks have plagued other major institutions recently. A hacker of a large public-school district in Las Vegas published documents containing Social Security numbers, student grades and other private information stolen after officials refused the ransom demanded, The Wall Street Journal reported Monday.
International law enforcement authorities during the height of the pandemic warned that hospitals and health-care facilities in multiple countries were being targeted in ransomware attacks.
Often a ransomware attack is the first phase of a multistage extortion attempt from cybercriminals, FireEye’s Mr. Carmakal said. Criminals routinely demand millions of dollars to unlock the encrypted systems, and then follow that up by threatening to publish stolen data on the internet if they aren’t paid a second time.
Mr. Carmakal said that although health-care providers are frequent targets, most ransomware criminals stay away from hospitals because taking systems offline could cause patient harm. “Most people don’t want to kill other people in the process of making money,” he said. “But there are some who just don’t care and it’s a means to an end.”
—Dustin Volz contributed to this article.