Virginia Mason Franciscan Health’s parent company says ransomware led to outages

Virginia Mason Franciscan Health’s parent company confirmed Thursday a ransomware attack caused hospital-wide outages that have led to disruptions for patients and providers for more than a week.

MyChart, a patient portal for patients to track appointments, test results and other electronic health records, remains down and patients reported Thursday that their appointments continue to be disrupted. Neither CommonSpirit Health, the company affiliated with 10 VMFH hospitals throughout the Puget Sound region, nor VMFH have provided an estimated restoration date.

CommonSpirit Health, which has 140 hospitals in 21 states, said in a statement that it had notified law enforcement about the ransomware attack. It added that it took steps to protect its electronic systems, contain the incident and ensure continuity of care.

“Patients continue to receive the highest quality of care, and we are providing relevant updates on the ongoing situation to our patients, employees and caregivers,” CommonSpirit Health said in a statement. “Patient care remains our utmost priority and we apologize for any inconvenience this matter has created.”

VMFH said Virginia Mason Medical Center in Seattle and Virginia Mason regional medical centers aren’t affected and stressed that hospitals remain open. Health care providers at other facilities, however, have reported stressful shifts. A VMFH physician told the Tacoma News Tribune that his staff had been “flying blind” because of the outages. In Silverdale, the St. Michael Medical Center’s staffing shortages were compounded this week by the outages, leading to a backup of ambulances, the Kitsap Sun reported.

Ransomware is a form of malicious software (malware) that encrypts files on a device and then demands a ransom to decrypt the files, according to the federal Cybersecurity and Infrastructure Security Agency. In 2021, 66% of health care organizations surveyed in 31 countries were hit by ransomware, according to a report by Sophos, a cybersecurity company.