Universal Health Services offline due to 'IT security issue'

(Reuters) - Universal Health Services Inc, one of the largest for-profit hospital operators in the United States, said on Monday its network has been knocked offline following an unspecified “IT security issue.”

UHS, which runs some 400 hospitals and care centers, mainly in the United States but also in the United Kingdom, did not specify the nature of the issue, saying in a brief statement it was using “established back-up processes” to recover.

Text messages reviewed by Reuters showed UHS instructing employees to avoid exposing their devices to the company’s corporate network, something one expert said was a sign of a ransomware outbreak.

“I can’t think of any other reason,” said Gabrielle Hempel, a researcher who studies the security of medical devices and says she has been in touch with people dealing with the incident.

Ransomware, which works by locking victims out of their computers until a ransom payment is made, has long been a pernicious threat to hospitals and health care providers. The coronavirus pandemic has heightened concerns that cybercriminals could target medical facilities.

UHS’ statement said “our facilities are using their established back-up processes including offline documentation methods,” adding that patient care “continues to be delivered safely and effectively.” It said no patient or employee data appeared to have been compromised.

In text messages to employees, the company said the disruption “may last 24 hours or more.”

“Do NOT attempt to connect to UHS email or other UHS network applications,” one of the messages said.

The nature of the disruption in UHS’ case was not clear. The company has not answered questions about the size and scope of the problem. Hempel said hospital cyberattacks should be taken seriously.

“Data is at risk here definitely, but you also have people’s lives at risk too,” she said.

Reporting by Raphael Satter; Editing by Bill Berkrot and David Gregorio