Cyberattack Targets New York Hospitals
A group of New York hospitals and health care centers were targeted in a cyberattack that for two months allowed hackers to access patients' private information, officials said this week. The attack targeted three separate facilities in the Hudson Valley — HealthAlliance Hospital, Margaretville Hospital and Mountainside Residential Care Center — which all operate under the same parent company and within the hospital conglomerate Westchester Medical Center Health Network.
HealthAlliance, Inc., the corporate parent of the three facilities, said Monday that it "began mailing notification letters to patients whose information may have been involved in a data security incident." The security issue was acknowledged publicly in October by the broader Westchester health network, but few details were released about the nature or the extent of the breach as an investigation got underway. Now, officials say the probe involving the New York State Department of Health, local authorities in the Hudson Valley, the FBI and a third-party cybersecurity firm determined that hackers were able to access the parent company's information technology network from Aug. 18 to Oct. 13.
"HealthAlliance has announced that an unauthorized party gained access to our IT network and obtained files containing patient information," the company stated. The compromised information may include names, addresses, dates of birth, Social Security numbers, diagnoses, lab results, medications, treatment information, health insurance details, provider names, dates of treatment, and financial information.
In response, HealthAlliance will provide free credit monitoring and identity theft protection services to patients whose Social Security numbers may have been stolen. The company has also implemented additional security measures and safeguards. A dedicated call center has been established for patients to contact HealthAlliance with any inquiries.
CBS News reached out to Westchester Medical Center Health Network for further details but did not receive an immediate response.
On October 16, the health network initially alerted that some of its facilities were facing a "potential cybersecurity threat and an IT system outage," according to a statement at the time.
The statement clarified that patient care had not yet been affected. However, by October 19, a planned shutdown of the interconnected IT systems used by all three impacted facilities led to emergency medical services crews having to redirect ambulances from HealthAlliance Hospital. They also had to make decisions regarding discharging admitted patients or transferring them to other hospitals within the Westchester network. These changes remained in effect for several days during the temporary shutdown, which was followed by a staged reboot lasting into the weekend.
HealthAlliance Hospital and Margaretville Hospital Continue to Accept Walk-In Patients
Both HealthAlliance Hospital and Margaretville Hospital continued to accept walk-in patients, and officials said at the time they would be "treated, assessed and either released, or stabilized and transferred to other WMCHealth facilities." HealthAlliance said the facilities were "fully operational" by the evening of Oct. 21, although emergency stroke patients still needed to be treated elsewhere.
The cyberattack that targeted HealthAlliance was one of a growing number of cyber threats impacting hospitals and health care centers across the United States, potentially opening up patients' private data to bad actors and interrupting or threatening their quality of medical care. At least 299 hospitals have experienced ransomware attacks in 2023, according to the Institute for Security and Technology.
One attack last month targeted a large health care conglomerate, the Tennessee-based Ardent Health Services. The attack affected 30 hospitals and more than 200 health care sites across six states. The company said it became aware of the breach on Thanksgiving day.
Heart Procedure and Cancer Check Appointments Postponed Due to Breach
Because of the breach, a patient scheduled to undergo a heart procedure at an affected health care site in Oklahoma and another scheduled for an annual cancer check at an affected site in Kansas both told CBS News their appointments were suddenly postponed or canceled entirely.
Emergency Room Diversion in New Jersey
Last month in New Jersey, two hospitals were forced to divert patients headed to their emergency rooms to other facilities, according to CBS New York.