More than a week after the national hospital system Ascension experienced a ransomware attack, disruptions to operations are still ongoing.
An Ascension spokesperson said in a statement that “unusual activity” was first detected on multiple technology network systems Ascension uses on Wednesday, May 8. Later, representatives confirmed that Ascension’s electronic health records system had been affected, along with “various systems utilized to order certain tests, procedures and medications.” Some phone capabilities have also been offline, and patients have been unable to access “MyChart,” a system patients can use to view medical records and get in touch with their doctors.
Unable to access those systems, hospital staff had to shift to “manual and paper based” processes.
Kris Fuentes, who works in the neonatal intensive care unit at Ascension Seton Medical Center Austin, said she remembers when paper charting was the norm. But after so many years of relying on digital systems, she said the hospital wasn’t ready to make such an abrupt shift, and that instruction from management was lacking.
“It’s kind of like we went back 20 years, but not even with the tools we had then,” Fuentes told KUT. “Our workflow has just been really unorganized, chaotic and at times, scary.”
Fuentes said everyday tasks are taking longer to complete. Orders for medication, labs and imaging are handwritten and then distributed on foot to various departments, whereas typically these requests are quickly accessed via computer. A lack of safety checks with these backup methods has introduced errors, she said, and every task is taking longer to complete.
“Medications are taking longer to get to patients, lab results are taking longer to get back,” she said. “Doctors need the lab results, often, to decide the next treatment plan, but if there’s a delay in access to the labs, there’s a delay in access to the care that they order.”
Ascension representatives have responded to KUT’s requests for interviews and comments about how Ascension’s cybersecurity issues are affecting local hospitals by referring to corporate statements on the hospital system’s website. As of Tuesday, Ascension reported that it continued to work with “industry-leading cybersecurity experts” to investigate the ransomware attack and restore affected systems. The FBI and Cybersecurity and Infrastructure Security Agency are also involved in the investigation.
While Ascension works to resolve the problem, Fuentes said everyday tasks require more labor to complete, with tasks that normally take one nurse requiring two. And in her department, the NICU, she said some babies have been transferred to other hospitals due to Ascension’s current limitations.
“Some of our strongest nurses have been leaving in tears because they don't have the tools to provide for our babies, and not just our babies, but our patients throughout the hospital,” she said. “We were short-staffed before this happened, and this isn't helping.”
Fuentes is also a member of National Nurse Organizing Committee/National Nurses United, the union that represents some 1,100 nurses at ASMCA. The union secured its first contract with the hospital earlier this year, which included a provision that a committee of RNs would have the opportunity to meet monthly with management to discuss ongoing concerns. Fuentes said having the contract in place has provided some comfort in the aftermath of Ascension’s ransomware attack.
“We have a pretty solid network to communicate amongst ourselves from the different nursing departments throughout the hospital, so we can talk about the challenges we're having and how they're being addressed,” Fuentes said.
Additionally, Fuentes said she has been in touch with nurses who belong to unions at Ascension hospitals in Kansas and Maryland to share ideas about how to manage challenges while they lack access to digital systems.
Cybersecurity breaches of American hospital systems have increased in recent years; a 2023 study from the University of Minnesota found that ransomware attacks more than doubled in the five years between 2016 and 2021, putting the private health information of nearly 42 million people at risk. Just last year, Ascension Seton announced a data breach of two of its legacy websites, although no systems involved in hospital operations were affected by the incident.
A San Marcos woman filed a class action lawsuit against Ascension Health last week, accusing the organization of failing to protect patients’ private medical data. In court documents, the plaintiff says she was hospitalized at Ascension Seton’s Round Rock hospital last year. The complaint claims Ascension failed to implement sufficient cybersecurity measures that would have stopped a quote, “foreseeable and preventable cyber-attack.”
Ascension has not yet confirmed whether patient data was compromised by the May 8 incident, but representatives said they will contact affected parties if they determine any sensitive data was accessed.