Canceled cancer treatments, cardiac tests
Cindy Pitcher’s radiation treatments for throat cancer are indefinitely postponed along with a bronchoscopy procedure to check a suspicious growth in one of her lungs. For Shianne Wiles, who has had heart palpitations and fainting spells, cardiac testing scheduled for later this week was canceled.
Both are caught up in the fallout from the latest tech troubles at McLaren Health Care, which confirmed Wednesday that a second major cyberattack in a year has caused new disruptions to its computer platforms and telephone systems.
The cyberattack crippled McLaren’s computer networks starting early Monday morning and continued Thursday to cause delays in treatment and diagnostic testing for patients like Pitcher and Wiles. It has disrupted care at all 13 McLaren hospitals in Michigan, along with its network of 113,000 medical providers throughout Michigan, Indiana and Ohio.
“Our information technology team continues to work with external cyber security experts to analyze the nature of the attack and mitigate the impacts of the threat actors,” McLaren said Wednesday in a statement sent to the Free Press. “At this time, we have not determined if any patient or employee data was compromised.”
Cancer patients can’t get treatment: ‘It’s just been terrible’
The Grand Blanc-based health system says on its website that it “operates Michigan’s largest network of cancer centers and providers, anchored by the Karmanos Cancer Institute.”
Karmanos treats 14,000 new cancer patients — like Pitcher, 64, of Chesterfield Township — each year whose health hangs on the line when cybercriminals hobble access to medical records, prescriptions, doctors’ orders, imaging and other test results.
Pitcher is a dialysis nurse who wasn’t feeling well in the spring. She had a sore throat that lasted for weeks. Initially, her doctor suggested allergies could be causing her symptoms.
“I said, ‘Mom, something’s not right,’ ” said her daugther, Tiffany Goebel, who works as a respiratory therapist for another health system. Goebel had nagging concerns about her mother’s symptoms and previous smoking history, and urged her to keep asking questions.
In May, an ear, nose and throat specialist identified the source of the problem: Pitcher had a large squamous cell tumor in her throat.
She underwent six weeks of chemotherapy and her oncologist then ordered 35 targeted radiation treatments to follow at the Karmanos facility at McLaren Macomb Hospital in Mt. Clemens.
Almost every weekday since June 18, Pitcher has gone to Mt. Clemens for radiation treatments, said Goebel, 43, of Trenton.
But this week, her medical team could not access Pitcher’s electronic records, physician’s orders or imaging scans because of the cyberattack. Goebel said her mother’s appointments were canceled because without that documentation, they couldn’t safely deliver her targeted treatments.
“I feel helpless,” Goebel said. The mother she described as “spunky” before her cancer diagnosis now feels defeated.
“This is so discouraging.”
She recalled that when Pitcher’s treatment regimen was established in May, her mother “was afraid she wouldn’t be able to tolerate it all. The doctors were like: ‘There’s a specific reason why we have to be so aggressive. There’s a reason we do that.’
“Before, they said we couldn’t miss a single day. So now what? You can’t just stop it.”
There was no timeline for when McLaren’s tech systems will be restored, so Pitcher doesn’t know when she will be able to resume treatments; her last one was Friday.
Pitcher’s oncologist suggested Wednesday evening that she might need to restart chemotherapy because she has missed so many radiation treatments, Goebel said.
“It’s just been terrible,” Goebel said. She worries about how the pause in radiation treatments will affect her mother’s outcome.
“Does this affect someone’s life expectancy?” she asked. “What about your quality of life? And the mental health stuff? Cancer treatment is bad enough. … I’m sick thinking about this.”
Echoes of previous cybersecurity breaches
This isn’t the first time a cyberattack at McLaren has had ripple effects that disrupted patient care.
Last August, a ransomware gang known as BlackCat/AlphV claimed responsibility for another attack on McLaren, posting online that it stole 6 terabytes of data, including the personal information of 2.5 million patients.
The health system reported at the time that it had shut down its own computer networks “out of an abundance of caution” after its information technology security team found suspicious activity during routine monitoring.
McLaren spokesperson David Jones did not answer questions this week from the Free Press about whether the latest cyberattack involves ransomware, but told the Free Press on Thursday that it is not connected to the previous breach.
He said he “will share updates as they become available” regarding the cyberattack and referred to the health system’s statement:
“Immediately after becoming aware of the attack, our hospitals and outpatient clinics instituted downtime procedures to ensure care delivery within our facilities. Several information technology systems continue to operate in downtime procedures while we work to fully restore functionality to our system. We have policies and procedures in place and train for information technology disruptions.”
It went on to say that McLaren’s facilities are “largely operational. … Our emergency departments continue to be operational, most surgeries and procedures continue to be performed, and our physician offices continue to see as many patients as possible. During this time of limited access to our systems, and out of an abundance of caution, some non-emergent appointments, tests, and treatments are being rescheduled.”
On Thursday afternoon, in response to questions from the Free Press about the delayed cancer treatments for Pitcher and cardiac testing for Wiles, Jones issued a new statement on behalf of McLaren:
“We deeply regret the impact this disruption has had on our patients, including those patients whose appointments have been rescheduled. We sincerely apologize for any inconvenience this cyber attack has caused.
“We are grateful for the dedication displayed under demanding circumstances by our various teams as we respond to this cyber attack. Our clinical staffs have demonstrated a true commitment to their patients and communities they serve, treating as many patients as possible as information technology specialists continue to make progress toward bringing systems back online.”
Uncertainty surrounds upcoming appointments
Shianne Wiles is worried about her heart.
“I am having a lot of heart racing episodes and palpitations, things like that,” said Wiles, who is 33 and lives in Pellston in the northern lower peninsula. “They just want to figure out what’s going on because I have been passing out a lot.”
It took her more than a month to book appointments for this Friday to get a cardiac halter monitor, an echocardiogram and a mammogram all on the same day at McLaren’s hospital in Petoskey.
Consolidating the appointments so they take place on one day matters because Wiles has seven children and has to drive 45 minutes each way and arrange for child care and time off work from her job at a fast-food restaurant.
When Wiles learned of the cyberattack, she called to confirm her appointments, but got an unsettling response on Wednesday: “They can’t see any appointments” because the scheduling system is entirely online, Wiles said. “They can’t see the schedule to even call anyone to reschedule anything.
“They told me to call them on Friday morning to see if their systems are back up or not. But the last time their systems were down, they said they were down for a month. So they’re not anticipating their systems to be back up for at least another week or two.”
Thursday afternoon, Wiles got two calls from McLaren. She said she was told all three appointments had been canceled, and she said, the health system will be unable to reschedule until its computer systems are back up and functional.
“I imagine, with at least a week’s worth of appointments being lost, … it’ll take a while for them to call everyone and will take forever to get in. I hate that they made such a vague Facebook post about it, saying almost everything is functional because nothing is.
“Doctor’s appointments are up, but any testing of any sort, like labs, urine, imagine, heart monitors, etc., is down. They could at least do a morning update post to say: ‘These services are down today.’ “
McLaren Northern Michigan
The delay in Wiles’ tests is likely to create a domino effect, she said. She is supposed to have a cardiac stress test later this month along with surgery to remove her wisdom teeth in September.
“They wanted to have all the testing done beforehand to make sure I’ll be good for the anesthesia,” Wiles said. “I’ve been waiting since March to have this surgery done.
“It’s really just delaying care at this point and pushing back my entire life.”
In the meantime, Wiles said she’s concerned about her chances of surviving a medical crisis. That’s because both of the hospitals nearest to her home are McLaren properties — the Petoskey hospital is about a 45-minute drive and the Cheboygan hospital is about 35 minutes away.
With the cyberattack affecting both of them, she’d need to go south to Munson Medical Center, about 90 miles from her home, to ensure she could get the care she needed.
“They’d have to life flight me to Traverse City, is what they told me,” she said.
More:McLaren confirms cyberattack across its 13 Michigan hospitals, physician network
More:Increasingly common, health care cyberattacks now even target patients with ransom
Thinking about it all is stressful, she said, and frustrating.
“There’s not much I can do about it,” Wiles said. “I don’t have a choice.”
Cyberattacks in health care are a growing problem
The volume of cyberattacks in the health care sector is growing quickly, said Kaustubh Medhe, vice president of research and threat intelligence at Cyble, an Atlanta-based cybersecurity firm.
Initially, cyberattackers targeted banking, finance, payment service providers, large IT and retail companies. But as those industries tightened up security measures, cybercriminals turned to other sectors, including health care, which “may not have the similar levels of cybersecurity maturity or similar levels of expertise or technology to be able to detect and prevent some of these attacks,” Medhe said.
“They know how to penetrate networks,” he said. “They know how to compromise access to critical applications and business systems. A lot of this data is sold or traded on the dark web and used in multiple attacks.
“There have been several instances where the same victim has been attacked multiple times. … If a company faces a ransomware attack, and if they’ve not been careful enough or thorough enough in sanitizing their environment, or identifying and eliminating all the traces or the footprints of that attacker, there is a chance that the attacker may still have access to that network remotely and may be able to activate it or sell it to some other group at a later point in time, which then could be used to carry out a second or repeat attack.”
When malware is deployed across computer networks, it can encrypt or destroy not only the original data, but backup systems, too. In those cases, Medhe said, companies are unable to restore all the data that was lost in a ransomware situation.
“These are some of the techniques to pressurize these victims into paying, and especially with health care because it’s such a time-sensitive industry where patients (need) medical assistance. Any type of downtime or outage really spoils the whole experience for the patient and also sometimes causes medical complications.”
Last year alone, 725 data breaches were reported to the U.S. Department of Health and Human Services Office for Civil Rights and more than 133 million records containing protected health data were exposed, according to the HIPAA Journal.
A cybersecurity breach in May that struck all 140 Ascension hospitals in the U.S., including in Michigan, forced the Catholic, nonprofit health system to postpone or cancel some appointments, divert ambulances to other hospitals and cut off electronic access to medical records, lab test results, radiology imaging and even impaired the ability for doctors to issue medical orders.
More:Ascension nurse: Ransomware attack makes caring for hospital patients ‘so, so dangerous’
More:Fallout from Ascension cyberattack continues: Michigan pharmacies can’t fill prescriptions
Also in May, the personal information of more than 56,000 people — including names, medical record numbers, addresses, dates of birth, diagnostic and treatment information, and health insurance details — was compromised in a cyberattack at Michigan Medicine, the academic medical center of the University of Michigan.
One of the largest cybersecurity incidents in the industry struck Change Healthcare in February, shutting down its computer networks and leading to widespread disruptions for patients who tried to fill prescriptions or who needed verification of insurance benefits and claims for treatment.
The company acknowledged personal data for “a substantial proportion of people in America” was compromised and the American Medical Association reported that the cyberattack caused financial strain for physicians. As many as 80% reported losing revenue from unpaid claims.
A 2021 study from Proofpoint and the Ponemon Institute found that among 641 organizations that provide IT for health care companies, 89% had experienced at least one cyberattack in the previous year. Of them:
- 64% said ransomware attacks caused delays in procedures and tests that resulted in poorer outcomes, including an increase in the severity of illness for patients.
- 59% said patients had to stay longer in the hospital as a result of ransomware attacks.
- 24% said ransomware attacks caused an increase in the hospital’s mortality rate.
Ripple effects of tech disruptions
The health impacts of tech disruptions are what have patients like Pitcher and her daughter most worried.
Not only has Pitcher missed radiation treatments because of the latest McLaren cyberattack, but a procedure to examine a suspicious spot on her lung to determine whether it might be cancerous also was canceled this week, Goebel said.
A pulmonologist had planned to do the procedure Wednesday using a bronchoscope, which is a thin, flexible tube with a camera attached that is guided through the nose or mouth, past the throat and into the airways.
Pitcher already had a CT scan at McLaren to prepare for the bronchoscopy, but the images from that scan are no longer accessible because of the tech disruptions, Goebel said.
The physician suggested Pitcher could have the bronchoscopy at a Henry Ford Health site later this month, but she’ll need a repeat CT scan first.
“He said, ‘You don’t want to wait around for things like this,’ ” Goebel said. “He has her scheduled at Henry Ford on the 21st,” but she’ll need “another CT scan with more unnecessary radiation exposure.
“The pulmonologist is trying to get this going, but is the insurance company going to pay for this?”
How to protect yourself from health care cyberattacks
Although much of health care has moved in the direction of digital charts and online patient portals, test results and scheduling, in this era of cyberattacks and technology disruptions, Medhe said it is smart to have paper copies of your records.
“People need to have backup plans in place if their health care provider is breached, which means they can no longer rely on computer systems to hold all their data and information about their condition, their prescriptions, their medical problems,” Medhe said.
“It’s always better … to have paper records of their conditions, their test results, doctors, prescriptions, their medical history. In case there is an emergency at their health provider, they can still access this information easily and go to some other health provider to get access to care.
“That’s an important takeaway. … Also have an understanding of or have a copy of their medical insurance (information). What is their coverage? What are the limits, emergency contact details and stuff like that. Maintain personal files, if possible, so that in such situations when they are logged out of the system or their service provider websites are down, they are still able to walk to an alternate health care provider and seek medical assistance.”
Additionally, Medhe said, consumers must be vigilant when it comes to watching for suspicious activity consumers with their health data, bank accounts, insurance plans and other service providers.
“Be aware,” he said. “Do not reveal sensitive information to strangers over phone or on social media. Do not reply or respond to suspicious links or click links on your phones or on your laptops. That is a good way to reduce the chances of data (being) compromised or a phishing attack.”
He recommends using multi-factor authentication on all of your accounts, and make sure you are updating your devices regularly for security patches and upgrades.
If a breach happens and your data is compromised, Medhe said it’s a good idea to sign up for the credit monitoring services that often are offered free in the aftermath.
“Definitely take advantage of that. To stay secure, they can always use dark web monitoring tools, which are available and alert you whenever your usernames and passwords have been put up for sale or exposed on the dark web.”
Contact Kristen Shamus: [email protected]. Subscribe to the Free Press.
link