HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

UVM Health Restores Electronic Health Record System One Month After Ransomware Attack

University of Vermont Health Network has announced it has brought its electronic health record (EHR) system back online, a month after experiencing a ransomware attack. The ransomware attack occurred on October 25, 2020 and caused a massive outage across all six of its hospitals. For the past month, staff have been forced to record patient information, orders, and medications using pen and paper while its computer systems were out of action.

Care continued to be provided to patients during the attack and recovery process, but the recovery of its EHR will greatly improve efficiency. The attack caused major disruption, especially at University of Vermont Medical Center in Burlington, but the attack affected its entire network. Without access to essential patient data, many elective procedures had to be rescheduled and the radiology department on the main campus experienced major delays, and was only open on a limited basis.

In a November 24, 2020 update, UVM Health announced it had achieved a major milestone in the recovery process, having brought its Epic EHR system back online for its inpatient and outpatient sites, including UVM Medical Center and the ambulatory clinics at Central Vermont Medical Center, Champlain Valley Physicians Hospital, and Porter Medical Center.

While electronic patient data is now available and staff can record patient data electronically, the recovery process is far from over and a great deal of work still needs to be done. “Our teams continue to work around the clock towards full restoration as quickly and safely as possible,” explained UVM Health.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The phone system has been restored, but patients are still unable to use the MyChart patient portal so will not be able to access their health information online. There are hundreds of other applications used across the health network to deliver care to patients, and many of those systems remain offline. UVM Health is working hard at restoring those systems and they will be systematically restored over time, with the main focus being patient-facing systems.

Several other healthcare networks were attacked with ransomware around the same time as the attack on UVM Health. St Lawrence Health System in New York was able to restore its electronic health record systems within two weeks, but Sky Lakes Medical Center has been forced to replace the majority of its networks and workstations as a result of its ransomware attack.

Ashtabula County Medical Center (ACMC) in Ohio was particularly badly affected. ACMC was attacked with ransomware on September 24, 2020, with the attack affecting the medical center and 5 of its health centers. The EHR has still not been restored two months after the attack, and a full recovery is not expected until the end of the year.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.