Or ransomware as a service or RaaS, please refer to this Pensacola News Journal article, search for “Black Basta” for the detailed information. I felt this article was well written. Unfortunately, this one is the place I used to work – Ascension Health (company official note on this cyber security event). I also talked about Ascension from time to time, after I left the company in June 2021. Here are some tweets.
Impacts
My 1st worry is its impact on patients, such as this patient in Wisconsin (I tweet below too). The impact to the patients is real and in a way is similar to the recent Change Healthcare hack (WSJ; I have a blog post too).
It impacts the caregivers too – Ascension cyberattack: Patients, nurses frustrated as problems persist. And all over Ascension service area, such as this one in Middle Tennessee, ‘Chaos’: Nurses, visitors describe conditions inside Ascension hospitals after cyberattack. This is very unfortunate for the patients, caregivers and impacted families. I just don’t have words for them – I hope they all can pull through. I will touch upon the evil of the bad actors below.
All this also showed the computerization of the medicine (or healthcare), while has its advantage: electronic medical record in theory at least gave the provider a holistic view of patient health issues. At the same time it shows its fragility (easy to break). Paper based process is always needed, because no computer systems is 100% reliable. This is somewhat like the Disaster Recovery (business continuity process) many decent sized organizations run or try to run, in case something horrendous happens (natural disaster, fire and so on). But in real life, how many hospitals or providers have the paper process nailed down, and have regularly ran the DR exercises. For me personally, I only saw DR exercise in action at Mastercard (and I participated it once as a lead, and it was quite interesting). In fact to me “production” is also interesting 🙂
Last but not least, if there is no lawsuit, then it’s not America. Central Texas woman sues Ascension following cyberattack.: interesting part of this article is it talked about RaaS and “Black Basta” in more details.
Health Insurance
We know in the US, health care system is very complicated (I wrote a series on this, the 3rd post is here).
Also note Ascension’s insurance (Blue Cross Blue Shield of Michigan) is not that great to begin with, as I learned 1st hand from my COBRA usage, or attempt to use my COBRA coverage after I left. My new employer’s benefits didn’t kick in immediately and there was two months gap.
Why I left Ascesnion
Below is one reason, the event proceeded my leaving. But not the only reason. I guess we may say that’s last straw.
Incidentally I worked at another major catholic hospital chain in the St. Louis area, and while my experience is not as bad, nonetheless I was not happy on one project – at one time we were briefly asked by the management to come in on Saturdays to complete the project “on time”. I knew it was mostly for “a show” not for actual completion of the project. And we had quite a few people quit (jump ship) during that time.
At both places, I have seen or worked on ambitious projects that started because one executive has the budget, and later on had to abandon because of various reasons. I understand software development projects are notoriously for cancellation and budget overrun because its complexity, hard to estimate and changing (or sometimes random) requirements. But I have worked on other industries too, and they usually “fail early, fail faster” (the agile way).
Recent cyber security events that I wrote
UnitedHealth Group Change Health Hack
Odds and Ends
Before I join the company (Ascension.org), I encountered some issues (login or single sign on SSO related) at myAscension.org. I still encountered similar issues (I would say about 33% failure rate) when I was working there. Looking back, this is a red flag of an organization’s IT capability.
If you happen to work in the IT/software development field, think “security security and security” all the time. It won’t prevent all the hacks. But it’s a good starting point. Btw, once when I was working for the Mastercard, I had the fun task to investigate the bad guys logged into a bank’s rewards redemption website and redeemed air tickets and hotels. One thing I still remember is this “client attorney privilege… ” in the email thread; another thing I was emotionally drained was seeing how some people can be that kind of malicious (stealing is bad, stealing on internet is equally bad as physically stealing). I also recalled when I was at college, I was stolen twice, once at a bus, someone picked up my wallet (when I realized, it was a bit late); another time, someone broke the lock on my drawer and took the money that my dad sent me recently. Always have the “security in mind” in daily life and in IT. Learn as much as you can, such as this Security in Mind channel on YT.
Last but not least, I understand we are going towards “electronic medical record” world, but we probably still need to keep some papers around prescription, vaccination records and testing results etc., better yet, back them up in the iCloud or somewhere you believe is safe, just in case the MyChart etc. goes down.
More Coverage in the news
Retired FBI agent weighs in on Ascension cyberattack
Fallout from Ascension cyberattack continues: Michigan pharmacies can’t fill prescriptions
Healthcare leaders praise Ascension cyberattack response
Ascension nurse: Ransomware attack makes caring for hospital patients ‘so, so dangerous’
How the Ascension cyberattack is disrupting care at hospitals
Ascension Saint Thomas Health patient files class action lawsuit over data breach
Ascension patients still grappling with fallout from cyberattack
Nurses fed up with Ascension Healthcare security breach issues
‘They need to step up’: Retired FBI Special Agent speaks on current Ascension cybersecurity attack
(June 13, 2024 at 7:21 AM) Ascension cyber attack caused by worker who accidentally downloaded malware – Officials: Attackers accessed 7 of 25,000 servers
(06-19-2024) Patients at Ascension hospital network given dangerous doses of narcotics after disastrous cyberattack: “In another case, a female patient suffered a cardiac arrest and died after data mishaps delayed test results that would determine her life-saving treatment.”
(09-19-2024) Ascension posts $1.1B net loss for 2024 after May cyberattack
(12-20-2024) Ransomware attack on health giant Ascension hits 5.6 million patients
(Update 04-29-2025) Ascension data breach impacts patients in 5 states, including Michigan
