Thanksgiving week ransomware attack hits Ardent Health hospitals in 6 states

A ransomware attack on Ardent Health Services impacted 30 hospitals in six states over the Thanksgiving weekend. The healthcare company took its network offline after the attack was discovered on Thanksgiving morning, causing several of its hospitals to divert ambulances and reschedule non-emergency procedures.

“The Ardent technology team immediately began working to understand the event, safeguard data, and regain functionality,” the company said in a statement Monday. “As a result, Ardent proactively took its network offline, suspending all user access to its information technology applications, including corporate servers, Epic software, internet and clinical programs.”

Ardent also reported the cyberattack to police and hired third-party forensic and threat intelligence advisors, according to the statement. The company could not confirm Monday the extent of patient health or financial data that may have been compromised in the attack.

Ardent operates facilities in Texas, Kansas, Oklahoma, Idaho, New Jersey and New Mexico, including 30 hospitals and more than 200 sites of care. It said its clinics remain open and its hospitals will continue to provide medical screenings and stabilizing care for patients that arrive at its ERs. At least one Ardent-owned hospital, UT Health East Texas, was taken off divert status and began accepting ambulances again as of Tuesday morning, according to KLTV.

Hospitals grapple with rising cyber threat

CISA reportedly warned Ardent of potential malicious activity on its systems on Nov. 22 as part of the agency’s Ransomware Vulnerability Warning Pilot (RVWP) program that launched earlier this year, according to CNN. An Ardent spokesperson said the warning came after the company already began to investigate an irregularity discovered on its system on Nov. 20. SC Media reached out to Ardent to confirm the timeline of the incident but did not receive a response.

Tim Helming, a security evangelist at DomainTools, said Ardent’s prompt and thorough response is a “silver lining” to the incident — one among many that have hit healthcare systems this year.

“Ardent taking its network offline is an extreme, albeit effective, move to reduce both the chance that the ransomware can spread to more internal systems, and the likelihood that sensitive data can be exfiltrated to malicious assets,” Helming told SC Media.

Cyberattacks targeting healthcare facilities have been on the rise. Research by Atlas VPN in October found that the number of patients affected by healthcare data breaches jumped from 37 million in 2022 to 87 million in 2023. Earlier this month, more than 1.6 million patients had their data leaked when the Cl0p ransomware gang hacked the MOVEit file transfer system and compromised the files of patient engagement firm Welltok.

CISA and the Department of Health and Human Services (HHS) released a new federal healthcare cybersecurity toolkit in October to address “persistent challenges” in cybersecurity faced by healthcare organizations.