An Illinois hospital closed its doors on Friday, June 16, 2023, due in part to a ransomware attack that occurred two years ago.
St. Margaret’s Health in Spring Valley, IL, would become the first hospital to publicly link criminal hackers to its downfall. The healthcare organization partly attributed its collapse to billing and insurance claims problems caused by the 2021 ransomware attack.
A ransomware attack prevented the Illinois hospital from making insurance claims
The Illinois hospital was unable to submit claims to insurers, Medicare, or Medicaid for months, which led to a financial spiral, executives said.
The ransomware attack also shut down the Illinois hospital’s electronic medical records (EMR) portal, mail, and internal IT systems, denying staff access to healthcare and communication tools for four months.
When hospitals are hit with disruptive cyber-attacks, they scramble to find ways to suddenly work without the computer systems required in modern health care. According to Linda Burt, VP of quality and community services, the Illinois hospital resorted to manual records and waited up to a year to send insurance claims. Consequently, some claims went unpaid since some medical insurers have timely filing clauses automatically disqualifying late payment requests.
“It’s important to note that the ransomware attack, while significant, is not the only thing leading the organization to close its doors,” said Erich Kron, security awareness advocate at KnowBe4. “Unfortunately, while these attacks are not often the primary reason for an organization to shut down, the significant additional stress and financial impact caused by one of these attacks can be a major factor.”
While other factors, including COVID-19 staff shortages, unexpected expenses, and restrictions, played a role in the Illinois hospital’s collapse, the ransomware attack was the final straw that broke the proverbial camel’s back.
Meanwhile, Melanie Malooley-Thompson, the Spring Valley mayor, warned that former SMH customers would have to travel for 30 minutes for emergency room services.
Lamenting on the “profound impact” of the facility’s shutdown, Melanie disagreed with the decision to close operations, adding that the city was “not given prior notice or an opportunity” to find a solution.
Local politicians, including State Senator Sue Rezin, were working on a deal to keep the Illinois hospital afloat before OSF Healthcare took over SMH’s facilities.
An existential threat for small and mid-sized hospitals
Small hospitals operate on a tight budget, leaving no room for disruption or unexpected costs like those associated with a ransomware attack.
For twelve years in a row, healthcare data breaches have been the most expensive, averaging at $10 million, according to IBM’s Cost of a Data Breach 2022 report.
Additionally, small healthcare facilities have inadequate cybersecurity staff to prevent such attacks, and many cannot afford or qualify for cyber insurance, making each ransomware attack an existential threat.
“Rural hospitals have been struggling throughout the nation, and many have already closed,” Sister Suzanne Stahl, who is the chair of the hospital’s parent organization SMP Health, said. “It has become impossible to sustain our ministry. This saddens us greatly.”
Amit Patel, SVP of Cyware, noted that cyber-attacks and limited finances presented the worst-case scenario for small healthcare organizations.
“Without enough resources to invest in robust security, updated systems, and having a clear recovery plan, these important local healthcare resources can easily be put out of business, directly impacting their patients,” Patel said.
According to former CISA Chief Strategist Joshua Corman, government relief for small rural hospitals was long overdue, adding that other similar facilities would likely suffer the same fate.
Since 2005, 99 American rural hospitals have permanently closed down for various reasons, according to Sheps Center for Health Services Research. The number of small healthcare facilities closing down increased from seven in 2022 to ten in 2023.
Multiple healthcare organizations obliterated by cyber-attacks
At least 24 small and medium-sized organizations across all sectors, including CloudNine, CardSystems, and Blue Security, have ceased operations after a devastating cyber-attack.
In 2019, Brookside ENT and Hearing Center terminated operations after hackers deleted all files. The hospital refused to pay the $6,500 ransom at the advice of law enforcement and because they could not guarantee recovery, eventually closing down.
Other health-related organizations obliterated by cyberattacks include Verus hospital billing systems, Vastaamo, and Best Medical Transcription. The latter leaked medical records online and was forced to pay $200,000 in a court settlement.
Since 2020, over 300 hospitals in the United States have suffered cyber attacks from various cybercrime groups, mainly operating out of Russia.
In 2021 alone, over 90 hospitals suffered ransomware attacks, with over 16 million patients’ protected health information (PHI) leaked online.