More on Operations

Universal Health Services hit with cyberattack that shuts down IT systems

Computer systems began to fail over the weekend, forcing some hospitals to file information with pen and paper.

Jeff Lagasse, Associate Editor

Healthcare giant Universal Health Services experienced an information technology security breach on September 27 that shut down its IT systems.

UHS suspended user access to its IT applications related to its U.S. operations. In a statement posted to its website, the health system said it implemented extensive security protocols and "is working diligently with its security partners to restore its information technology operations as quickly as possible."

Computer systems began to fail over the weekend, and some hospitals were forced to file patient information with pen and paper, sources told NBC News. The report called the breach potentially the largest medical cyberattack in U.S. history.

UHS President Marc Miller told The Wall Street Journal that the company took down systems used for medical records, laboratories and pharmacies across about 250 of its U.S. facilities over the weekend in an attempt to stop the spread of the malware attack. He said UHS is investigating reports of any patients who may have been at risk, but said that so far no patient or employee data appears to have been accessed.

Miller declined to comment on the nature of the malware, but the WSJ reported that the incident was a ransomware attack, based on comments from anonymous sources. Ransomware attacks occur when hackers exploit vulnerabilities to install software on a targeted computer network, encrypt the data and then promise to unlock the system in return for money.

The system said the incident may result in temporary disruptions to aspects of its clinical and financial operations. In the meantime, its acute care and behavioral health facilities are utilizing back-up processes including "offline documentation methods," and UHS maintains that patient care is still being safely and effectively delivered.

In a separate statement posted on Monday, the health system said its IT network is currently offline.

"We implement extensive IT security protocols and are working diligently with our IT security partners to restore IT operations as quickly as possible," the statement read.

Universal Hospitals also operates facilities in the United Kingdom, but those businesses don't appear to be affected. While it's unclear how long it will take to fully recover from the attack, Miller told the Wall Street Journal that UHS backs up pharmacy records daily and has already restored some of its network.

Nurses at several UHS hospitals reportedly said some computers began shutting down on their own, forcing them to hand-label every medication.

Headquartered in King of Prussia, Pennsylvania, UHS has about 90,000 employees. Through its subsidiaries it operates 26 acute care hospitals, 330 behavioral health facilities, 41 outpatient facilities and ambulatory care access points, an insurance offering, a physician network, and various related services located in 37 U.S. states, D.C., Puerto Rico, and the U.K. Its annual revenues were $11.4 billion in 2019.


With the cyberattack, Universal Health joins Montefiore Medical Center as two major healthcare organizations that have been targeted by cybercriminals in the past two weeks. Last week, Montefiore alerted patients that a former employee had recently stolen personal information from roughly 4,000 patient records, which led Montefiore to terminate the employee upon learning of the security breach and potential identity theft.

The hospital discovered the breach in July, and determined that addresses, dates of birth and Social Security numbers were potentially compromised over a period of more than two years, from January 2017 to July of this year. 

While there's no evidence to date that the patient information was used for the purposes of identity theft, a New York Police Department investigation is still underway.

Twitter: @JELagasse
Email the writer: