Universal Health Services Ransomware Attack Cripples IT Systems Across United States

Universal Health Services (UHS), a King of Prussia, PA-based health system with more than 400 healthcare facilities in the United States and UK, has suffered a major security breach that has seen its IT systems crippled.

The Fortune 500 healthcare provider has more than 90,000 employees and serves around 3.5 million patients each year. According to a statement published on its website, the company “experienced an information technology security incident in the early morning hours of September 27, 2020.” Upon discovery of the breach, UHS “suspended user access to its information technology applications related to operations located in the United States.”

UHS has implemented information security and emergency protocols and is working closely with its security partners to mitigate the attack and restore its IT operations as quickly as possible. The cyberattack crippled its IT systems, leaving affected hospitals without access to their computer and phone systems. UK facilities were unaffected by the attack.

The attack forced UHS to redirect ambulances to other healthcare providers and patients in need of surgery have been relocated to other nearby hospitals. The notice on the UHS website now says, “While this matter may result in temporary disruptions to certain aspects of our clinical and financial operations, our acute care and behavioral health facilities are utilizing their established back-up processes including offline documentation methods. Patient care continues to be delivered safely and effectively.”

UHS President Marc Miller issued a statement on Monday saying UHS took its systems offline on Sunday in an attempt to contain a malware attack. Those systems were used by approximately 250 U.S. healthcare facilities and included medical record systems and those used by laboratories and pharmacies across the country.

Marc Miller did not provide any details about the nature of the malware, but several individuals who claim to work for UHS have provided information about the attack that strongly suggests ransomware was involved. According to BleepingComputer, which was contacted by an employee of UHS, prior to systems being shut down, files were being renamed and had the .ryk extension added, which is used by Ryuk ransomware.

Several other employees have reported seeing a ransom note on their computers containing the text “Shadow of the Universe,” which is associated with Ryuk ransom notes.

Ryuk ransomware is often deployed as a secondary payload by the TrickBot Trojan, with TrickBot delivered by the Emotet Trojan. Emotet infections commonly start with a phishing email. According to Vitali Kremez of Advanced Intel, their Andariel platform detected multiple Emotet and TrickBot infections at UHS throughout 2020, with the latest detection in September.

The Ryuk ransomware operators are known to exfiltrate data prior to the use of ransomware; however, UHS says on its website that “no patient or employee data appears to have been accessed, copied or otherwise compromised in the attack.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.