Austin's Ascension Seton Medical Center is among the hospitals affected by a nationwide cybersecurity breach of Ascension technology systems.
Caption

Austin's Ascension Seton Medical Center is among the hospitals affected by a nationwide cybersecurity breach of Ascension technology systems. / Julia Reihs/KUT News

Hospital staff are forced to write notes by hand and deliver orders for tests and prescriptions in person in the ongoing fallout from a recent ransomware attack at the national health system Ascension.

Ascension is one of the largest health systems in the United States, with some 140 hospitals located across 19 states and D.C.

A spokesperson said in a statement that "unusual activity" was first detected on multiple technology network systems Ascension uses on Wednesday, May 8. Later, representatives confirmed that some of Ascension's electronic health records systems had been affected, along with systems used "to order certain tests, procedures and medications."

Some phone capabilities have also been offline, and patients have been unable to access portals used to view medical records and get in touch with their doctors.

Due to these interruptions, hospital staff had to shift to "manual and paper based" processes.

"Our care teams are trained for these kinds of disruptions and have initiated procedures to ensure patient care delivery continues to be safe and as minimally impacted as possible," an Ascension spokesperson said in a May 8 statement.

Kris Fuentes, who works in the neonatal intensive care unit at Ascension Seton Medical Center in Austin, said she remembers when paper charting was the norm. But after so many years of relying on digital systems, she said her hospital wasn't ready to make such an abrupt shift.

"It's kind of like we went back 20 years, but not even with the tools we had then," Fuentes said. "Our workflow has just been really unorganized, chaotic and at times, scary."

Fuentes said orders for medication, labs and imaging are being handwritten and then distributed by hand to various departments, whereas typically these requests are quickly accessed via computer. A lack of safety checks with these backup methods has introduced errors, she said, and every task is taking longer to complete.

"Medications are taking longer to get to patients, lab results are taking longer to get back," she said. "Doctors need the lab results, often, to decide the next treatment plan, but if there's a delay in access to the labs, there's a delay in access to the care that they order."

As of Tuesday, Ascension still had no timeline for when the issues might be resolved, and reported that it continued to work with "industry-leading cybersecurity experts" to investigate the ransomware attack and restore affected systems. The FBI and Cybersecurity and Infrastructure Security Agency are also involved in the investigation.

While Ascension facilities remain open, a health system representative said on May 9 that in some cases, emergency patients were being triaged to different hospitals, and some non-emergent appointments and procedures were postponed. Certain Ascension pharmacies are not operational, and patients are being asked to bring in prescription bottles or numbers.

Individuals who are enrolled in Ascension health insurance plans are being directed to mail in monthly payments while the electronic payment system is down.

Cybersecurity breaches of American health care systems have increased in recent years; a 2023 study from the University of Minnesota found that ransomware attacks more than doubled in the five years between 2016 and 2021, putting the private health information of nearly 42 million people at risk.

The Ascension breach comes after a major ransomware attack in February on Change Healthcare (owned by UnitedHealth) left millions of Americans' health data exposed and led to delays processing health care claims and filling prescriptions, as the AP reported.

In May, members of the Senate Finance Committee in Congress questioned UnitedHealth's CEO and learned that the company didn't have adequate cybersecurity in place to prevent such an attack, including multi-factor authentication.

Repercussions from the Change Healthcare attack continued into the spring. The American Hospital Association said 94% of hospitals surveyed experienced a financial impact, and the American Medical Association reported that 80% of surveyed members were suffering financially. Many were still struggling to get claims submitted and paid as of late April.

The U.S. Department of Health and Human Services announced Monday it is investing more than $50 million in a cybersecurity effort to create tools to help hospitals better defend themselves against these kinds of threats.

Ascension has not yet confirmed whether patient data was compromised by the May 8 incident, but representatives said they will contact affected parties if they determine any sensitive data was accessed.

Carmel Wroth contributed to this report.