Hackers had access to patient information for months in New York hospital cyberattack, officials say
A group of New York hospitals and health care centers were targeted in a cyberattack that for two months allowed hackers to access patients' private information, officials said this week. The attack targeted three separate facilities in the Hudson Valley — HealthAlliance Hospital, Margaretville Hospital and Mountainside Residential Care Center — which all operate under the same parent company and within the hospital conglomerate Westchester Medical Center Health Network.
HealthAlliance, Inc., the corporate parent of the three facilities, said Monday that it "began mailing notification letters to patients whose information may have been involved in a data security incident." The security issue was acknowledged publicly in October by the broader Westchester health network, but few details were released about the nature or the extent of the breach as an investigation got underway. Now, officials say the probe involving the New York State Department of Health, local authorities in the Hudson Valley, the FBI and a third-party cybersecurity firm determined that hackers were able to access the parent company's information technology network from Aug. 18 to Oct. 13.
"While in our IT network, the unauthorized party accessed and acquired files that contain patient information," HealthAlliance said in a statement. "The information involved varied by patient, but may have included names, addresses, dates of birth, Social Security numbers, diagnoses, lab results, medications, and other treatment information, health insurance information, provider names, dates of treatment, and/or financial information."
The company said it will offer free credit monitoring services and identity theft protection services to patients whose Social Security numbers were potentially stolen. It has also put in place "additional safeguards and technical security measures." A dedicated call center has been set up for patients to contact HealthAlliance with questions.
CBS News contacted Westchester Medical Center Health Network for more information but did not receive an immediate response.
The health network first warned that some of its facilities were facing a "potential cybersecurity threat and an IT system outage" on Oct. 16, it said in a statement at the time.
Patient care had not yet been impacted, the statement said. But, by Oct. 19, a planned shutdown of the connected IT systems used by all three affected facilities forced emergency medical services crews to divert ambulances from HealthAlliance Hospital and decide whether to discharge admitted patients or transfer them to other hospitals within the Westchester network. Those changes were in effect for several days as the temporary shutdown went ahead, followed by a staged reboot that lasted into the weekend.
Both HealthAlliance Hospital and Margaretville Hospital continued to accept walk-in patients, and officials said at the time they would be "treated, assessed and either released, or stabilized and transferred to other WMCHealth facilities." HealthAlliance said the facilities were "fully operational" by the evening of Oct. 21, although emergency stroke patients still needed to be treated elsewhere.
The cyberattack that targeted HealthAlliance was one of a growing number of cyber threats impacting hospitals and health care centers across the United States, potentially opening up patients' private data to bad actors and interrupting or threatening their quality of medical care. At least 299 hospitals have experienced ransomware attacks in 2023, according to the Institute for Security and Technology.
One attack last month targeted a large health care conglomerate, the Tennessee-based Ardent Health Services. The attack affected 30 hospitals and more than 200 health care sites across six states. The company said it became aware of the breach on Thanksgiving day.
Because of the breach, a patient scheduled to undergo a heart procedure at an affected health care site in Oklahoma and another scheduled for an annual cancer check at an affected site in Kansas both told CBS News their appointments were suddenly postponed or canceled entirely.
In New Jersey last month, two hospitals were forced to divert patients headed to their emergency rooms to other facilities, CBS New York reported. Hospital officials said at the time that patient care was not affected, but Jack Danahy, a cybersecurity expert, told CBS New York that cyberattacks like that one "can have a material effect on the provision of care," adding, "We know with the case of earlier attacks, it can take weeks or months for those systems to come back online."
—Nicole Sganga contributed reporting.
