© 2024 Connecticut Public

FCC Public Inspection Files:
WPKT · WRLI-FM · WEDW-FM · Public Files Contact
Play Live Radio
Next Up:
0:00 0:00
Available On Air Stations

Inside the cyberattack at Prospect Medical Holdings' CT hospitals

Waterbury Hospital is one of three facilities owned by Prospect Medical Holdings in Connecticut. The hospitals were hit with a cyberattack in August.
Shahrzad Rasekh
CT Mirror
Waterbury Hospital is one of three facilities owned by Prospect Medical Holdings in Connecticut. The hospitals were hit with a cyberattack in August.

For 17 days in August, Manchester Memorial Hospital was so crippled by a cyberattack that officials notified emergency services in eastern Connecticut they could not take patients, forcing crews to divert people to hospitals as far away as Massachusetts.

Over the course of a more than 40-day breach of three Prospect Medical Holdings hospitals in Connecticut, administrators at two of the facilities issued 29 “divert notifications” to emergency personnel throughout the region, according to ambulance dispatch logs obtained by The Connecticut Mirror.

Emails and reports obtained from the state Department of Public Health through a Freedom of Information Act request indicate the cyberattack was far more debilitating than hospital officials publicly acknowledged in August. The attack affected Manchester, Rockville General and Waterbury hospitals, as well as medical offices affiliated with the hospitals.

The hospitals were unable to bill Medicaid for payment, forcing the state Department of Social Services to advance them about $7.5 million. A review of the records shows the facilities had to cancel nearly half of their elective procedures and at times over the nearly six-week period couldn’t process X-rays or CT scans that are vital for treating potential stroke or heart attack victims.

At one point in mid-August, state officials were so concerned about staffing issues at Waterbury Hospital they considered activating the volunteer Medical Reserve Corps, which had previously been done only during the height of COVID.

The cyberattack also affected the number of people in the hospitals’ care, particularly at Manchester Hospital, which fluctuated from a high of 126 patients in early August to fewer than 90 by the week of Aug. 19, according to state records.

The three hospitals declared “all services back online” on Sept. 12, nearly six weeks after the attack began, according to diversion notifications.

But hospital officials recently told a group of about 30 legislators they still are recovering financially from the breach, and computer systems are not completely restored.

Rep. Cristin McCarthy Vahey, D-Fairfield, co-chair of the Public Health Committee, said executives described the recovery as slow and said they are struggling to get all systems back online.

“They continue to have to use paper checks to pay vendors, and it will likely take a few more months for everything to get fully sorted out. It is a very involved and lengthy process,” she said.

Sen. Saud Anwar, D-South Windsor, co-chair of the Public Health Committee, said a full review is needed, not only to assess how the hospitals responded to the attack but also to gauge the state’s response. He said he is considering holding a special legislative hearing. Anwar, a doctor who specializes in pulmonary medicine, has first-hand experience with the cyberattack because of his affiliation as a contracted physician with Manchester Hospital.

Anwar said the attack exposed the limits of the hospitals’ reliance on technology and gaps in how the state responds to this type of emergency.

“I know we have a lot more to do and [need to] start to have these conversations, because it’s not a matter of if, it’s a matter of when more such attacks are going to happen,” Anwar said.

“Shame on us if we don’t learn from what has happened.”

Spokespeople for Prospect Medical and Waterbury, Manchester and Rockville hospitals did not respond to requests for comment.

The timeline that follows, based on documents obtained by The Mirror, paints a vivid picture of the cyberattack’s aftermath and communication among the hospitals and outside parties, including state and federal health officials, from initial steps to the halting of services and concerns about the long-term impact.

Thursday, Aug. 3, 9:44 a.m.: ‘Code Orange’

The public health department was first notified of the cyberattack in an email sent at 9:44 a.m. on Aug. 3. State officials were alerted that all three Prospect Medical hospitals were in Code Orange — the second-highest state of emergency — until further notice. The attack occurred at 4:30 a.m.

The email included a notification that Eastern Connecticut Health Network had sent to its employees ordering them to log off their computers or “any workstations on wheels” and not to access any hospital computer systems, from X-rays to prescriptions. Manchester and Rockville hospitals are part of ECHN.

Meanwhile, the health network sent its first notice to emergency service personnel at 9:28 a.m., announcing that both Manchester and Rockville were on full diversion and taking no patients. That diversion lasted about 24 hours, records show.

By midafternoon, the state health department sent inspectors to some of the hospitals to ensure patient care was adequate. That evening, Francesca Provenzano, chief of Connecticut’s Office of Public Health Preparedness and Response, sent an email to more than 60 state employees saying that Prospect Medical anticipated the cybersecurity issue would “continue into tomorrow.”

By the next day, federal officials were calling DPH to gauge the severity of the attack. Members of the federal Centers for Medicare and Medicaid Services’ Emergency Response Team and the Administration for Strategic Preparedness and Response team contacted the health department for updates.

A key issue on the second day appeared to be ECHN’s need for glucometers, a blood glucose meter.

“I spoke to John and the VP of nursing at ECHN to better understand their needs and basically they are looking for glucometers,” Maryanne Pappas wrote in an Aug. 4 email. Pappas, who is a consultant for DPH’s Office of Public Health Preparedness and Response, said she had asked several hospitals for assistance.

“Glucometers house a lot of patient information that needs to be kept HIPAA compliant, so loaning glucometers can be a little tricky,” Pappas wrote. “This may have revealed a weak point to address and prepare for with cybersecurity threats in the future.”

Later that day, state health officials sent an alert to all local public health directors detailing what they knew: Three hospitals in Connecticut were hit with a cyberattack, the FBI was investigating, all three hospitals were in “down time procedures,” and DPH’s Facility Licensing and Investigations Section staff was monitoring the situation.

Late that night, Rockville General Hospital issued the first of more than 20 diversion notifications, this time informing emergency service personnel they were in a CT scan diversion.

The notifications cover four classifications — “closed emergency departments,” “unable to accept stroke patients,” “unable to accept psychiatric patients” or a “full diversion.”

Manchester Memorial Hospital had to divert patients during the cyberattack.
Shahrzad Rasekh
CT Mirror
Manchester Memorial Hospital had to divert patients during the cyberattack.

Monday, Aug. 7, 8:32 a.m.: ‘Mistakes are being made’

On Saturday, Aug. 5, Gov. Ned Lamont’s chief of staff, Jonathan Dach, forwarded an email to Public Health Commissioner Manisha Juthani raising concerns about “deteriorating conditions” at the three Prospect-owned facilities and their non-payments to hospital vendors. The email warned the governor that the combination of financial problems and the data breach could put the pending sale of those hospitals to Yale New Haven Health at risk.

In that email, Griffin Health CEO Patrick Charmel told Lamont that Waterbury Hospital owes vendors more than $40 million and that Yale executives “have begun to question whether acquiring Manchester and Waterbury hospitals remains a prudent business decision.”

Dach sent the email to Juthani and asked her “to review your statutory powers to see whether there is a defensible interpretation under which to give you any hooks into Prospect.”

“If vendors are cutting off the hospitals, at some point they will not have the supplies they need to care adequately for patients,” Dach wrote. Juthani forwarded the email to colleagues at the health department, saying, “Every time the issue of authority over hospitals comes up I have to explain DPH has little authority.”

DPH received a complaint about patient care at the Prospect hospitals the next day, on Aug. 6, when an anonymous grievance was filed with the facility licensing division concerning Waterbury Hospital. The complaint was flagged by the DPH in an Aug. 7 email.

“Hospital is being run in unsafe conditions after computers being hacked. There is poor communication between health care providers and mistakes are being made that are affecting the welfare and safety of patients,” the complaint said. “There is insufficient information and history available due to no access to electronic records. Pharmacy is not verifying new medication orders before medications are administered putting patients at further risk.”

State officials sent inspectors to Waterbury Hospital to investigate, documents show.

On Tuesday, Aug. 8, DPH Public Health Services Manager Cheryl Davis told officials with the Centers for Medicare and Medicaid Services that an onsite visit the previous day at Waterbury Hospital “gleaned issues related to medical administration. We are writing findings on the state side and requested an action plan. If the issue continues we will request a substantial allegation survey.”

Davis went on to indicate the state was considering issuing an immediate jeopardy order — findings that indicate violations at the hospital caused or were likely to cause harm or death to residents.

State public health officials would not say if they issued that order, but in another emailto federal officials, Davis wrote, “a few patients had missed their medications.”

“The investigation has not concluded, therefore we cannot release any additional details until such time it is closed,” said Christopher Boyle, a spokesman for the health department, last week.

Rockville General Hospital is one of three hospitals in Connecticut owned by Prospect Medical Holdings.
Shahrzad Rasekh
CT Mirror
Rockville General Hospital is one of three hospitals in Connecticut owned by Prospect Medical Holdings.

On Tuesday, Aug. 8, ECHN’s CEO Deborah Weymouth sent a letter to Office of Health Strategy Commissioner Deidre Gifford giving a more detailed, unvarnished look at the impact of the cyberattack on Prospect Medical’s Connecticut facilities.

Weymouth told Gifford that among the ECHN facilities shuttered on Aug. 8 were 11 outpatient community blood-draw locations, an urgent care center in South Windsor and its Women’s Center for Wellness, also in South Windsor, “due to an inability to save and send images through a secure network.”

She informed OHS the system was still in Code Orange and that they had “temporarily centralized our medical inpatient teams and patients from Rockville’s campus to our Manchester campus and we continue to re-evaluate and review our resources and needs daily.”

Weymouth did not elaborate on whether patients were moved from Rockville to Manchester. She said Prospect had hired a third-party cybersecurity firm to investigate the attack and that they were working closely with law enforcement. She did not give Gifford’s office any timeframe for when the hospitals expected to have their systems back online.

Friday, Aug. 11, 7:02 p.m.: Manchester full ED diversion

As the cyberattack stretched to one week, DPH officials began requesting daily updates from Prospect, including census numbers for all three hospitals, all diversion statuses and updates on elective and outpatient services.

The partial census reports provided to The Mirror by DPH show that Manchester Hospital was most impacted by the cyberattack. On Aug. 9, the hospital reported 126 inpatients. By Aug. 20, that number had dropped to 88.

The decline in patients coincided with a notification ECHN sent on Aug. 11 indicating that Manchester Hospital’s emergency department would be on full diversion.

That diversion was supposed to end Aug. 14, but records show it continued for two more weeks, until Aug. 28. That meant ambulances could not bring patients to the emergency room or to the hospital to be admitted.

The health department received a complaint about care at Waterbury Hospital in the aftermath of the cyberattack and about crowded conditions at a neighboring hospital.
Shahrzad Rasekh
CT Mirror
The health department received a complaint about care at Waterbury Hospital in the aftermath of the cyberattack and about crowded conditions at a neighboring hospital.

Monday, Aug. 14, 4:32 p.m.: Surgical algorithms

In the cyberattack’s second week, DPH officials were beginning to realize the crisis would not end any time soon. They were particularly concerned about patient care.

On Aug. 14, Barbara Cass, senior advisor at DPH for long-term care, held a meeting with the chief medical officers for all three hospitals to discuss the “surgical algorithm” they were using to determine whether to cancel surgeries.

The doctors indicated that about 50% of elective surgeries had been postponed. More ominously, Cass said, the doctors indicated “it does not appear as if the issue will be resolved in the near future.”

That same day, Prospect officials contacted the state to say they were in need of pharmacists and pharmacy technicians.

The request set off a discussion among state officials, including the state Division of Emergency Management and Homeland Security (DEMHS), about whether the state could activate its Medical Reserve Corps to assist the hospitals, particularly Waterbury Hospital, because of its request for pharmacists and pharmacy technicians. The corps is a group of volunteers that can be called in by DPH to assist in emergencies. The last time it was used was during the first few months of COVID.

Boyle, the spokesman at DPH, said Prospect Medical did contact the agency about opportunities for Medical Reserve Corps support.

“MRC chapters are local in nature. DPH reached out to the Capitol Region Council of Governments (Hartford area) based on the request for support to connect [Prospect Medical] administrators with the regional Medical Reserve Corps liaison,” he said last week. “DPH did not receive activation paperwork, indicating that no activation of volunteers was needed. [Prospect Medical] managed their own staffing levels to support hospital operations.”

But emails show that the discussion about calling in the MRC lasted for several days, with emergency medical officials from the Naugatuck Valley pushing to have them activated. Officials with the Division of Emergency Management decided the situation did not call for using the volunteer force to assist a for-profit institution.

The request led to a discussion between Provenzano and Brenda Bergeron, head of DEMHS, about when the corps should be used. Bergeron told DPH officials “activation of a volunteer civil preparedness force to support private sector activities should be used only when there is an imminent threat to life safety or private resources are not available.”

In a recent interview with The Mirror, Bergeron said, “DEMHS would have supported an activation of an MRC team in this situation if approved by DPH. MRC Teams are by statute under the auspices of DPH, so activation would ultimately have been their call.”

Anwar said the state’s reaction to that request should be reviewed.

“We are in the midst of a disaster, it’s localized but it’s really a disaster. Can you help us?” Anwar said. “But at that time, rather than having a support system, the conversation is that if you’re not safe, we will shut you down.”

Anwar said that’s not the conversation health care systems want to have in the middle of a crisis, when “radiologists are living in the hospital for weeks at a time to ensure they can physically run X-ray results to doctors.”

Anwar said the cyberattack also showed how hospital systems’ reliance on technology can be exposed. For example, he said, it is typical in hospitals for one person to monitor up to 20 cardiac patients on one computer. If the system goes down, however, each one of those patients needs to be individually monitored.

“You’re seeing 20 patients, if not more, looking at everybody’s heart rhythm, and in a matter of a second, that one person is going to be saying ‘Oh, room 22 is having an arrhythmia, need to code and respond,” Anwar said. “Now, with the technology not being there, every single room had to have one person sitting there looking at that monitor.”

At different times during the cyberattack, Manchester Hospital was fully diverting patients.
Shahrzad Rasekh
CT Mirror
At different times during the cyberattack, Manchester Hospital was fully diverting patients.

Tuesday, Aug. 15, 4:04 p.m.: ‘National Guard or anything?’

DPH’s escalating concerns about patient care at Waterbury Hospital in particular also may have stemmed from another complaint it received, this one on Aug. 15.

This complaint came from Rep. Christie Carpino, R-Cromwell, who got a message from a constituent who said her dad was on a gurney in the hallway of an emergency room for two days.

Karla McClain reached out to Carpino on Facebook on behalf of her father, 71-year-old John Chipelo, who fell on Aug. 13 in his Naugatuck home after his hip gave out. His family called an ambulance, which brought him to Saint Mary’s Hospital in Waterbury that morning.

With patients being diverted from Waterbury Hospital, McClain said, Saint Mary’s emergency department was overrun. People were lying on gurneys in the hallways, and doctors and nurses were stretched thin. Her father was in “excruciating pain” but did not receive adequate attention or medication to treat it, she said.

He remained on a gurney in the hallway for two days before finally being admitted Aug. 15. At times, McClain said, it got so crowded in the emergency room that people were sitting on the floor.

A spokeswoman for Saint Mary’s said facility leaders communicated daily with Waterbury Hospital officials and offered support.

“During this period, we did see a significant increase in patient volume in the emergency department, inpatient admissions and outpatient services,” the spokeswoman, Stephanie Valickis, said. “We worked diligently to accommodate the increased demand and implemented solutions to ensure we were optimizing the flow of patients throughout the hospital.”

“Over the course of a three-week period, Saint Mary’s assumed requested medical, ST-Segment Elevation Myocardial Infarction (STEMI) and stroke diversions from Waterbury Hospital,” she added. “With respect to patient feedback, Saint Mary’s Hospital has a very rigorous standard process in which our Patient Advocate fully investigates every complaint and works thoughtfully to bring resolution to our patients and their families.”

McClain shared her concerns with Carpino and Sen. Matthew Lesser, D-Middletown, which were forwarded to the state health department.

“My dad was in the hallway of the ER for two days before he got a bed and there were so many people sitting on the floor and waiting for hours,” McClain wrote. “Could there be any solutions to help this situation, like the National Guard or anything?”

In an interview with The Mirror, McClain recalled feeling “powerless” as she watched her dad in pain that day.

“I just felt bad that we couldn’t do more to help him, and we couldn’t do more to get him the comfort he needed,” she said. “You feel very powerless when there’s nothing you can do. You’re sort of at the mercy of what else is happening.”

Chipelo, who had cancer, died in September.

McClain said she received a reply from the state about her complaint indicating they were looking into the situation, but she hasn’t received an update since. She hopes officials consider better procedures and additional resources for hospitals should a similar attack occur again.

“With this going on for weeks, why would you not find something else to do to help patients so they can get the care they need?” McClain said. “It was astounding. [At one point], the whole first floor was filled with people waiting, either waiting for family members or waiting themselves to be seen.”

Boyle said DPH has not concluded its investigation into McClain’s concerns, “therefore we cannot release any additional details until such time it is closed.”

Rockville General Hospital. The heads of the Prospect-owned hospitals said they are still recovering from the attack.
Shahrzad Rasekh
CT Mirror
Rockville General Hospital. The heads of the Prospect-owned hospitals said they are still recovering from the attack.

Monday, Aug. 21, 4:34 p.m.: Back in the next few days

Just over a week after the cyberattack began, state officials learned the hospitals were unable to bill Medicaid for services, creating deeper financial difficulties. Adelita Orefice, chief of staff at the health department, told her team that Prospect’s hospitals in Rhode Island were requesting advances on Medicaid funding because they couldn’t properly file claims.

Hospital officials faced similar challenges in Connecticut. Prospect representatives had reached out to Gainwell Technologies, the contractor that oversees Medicaid billing and claims processing for the state Department of Social Services.

DSS spokesman Jalmar De Dios said Prospect officials were unable to bill Medicaid because of their computer problems. The agency advanced them funding during the emergency.

“Since they are still seeing Medicaid clients and are unable to bill for these services, we have been issuing interim payments to them,” De Dios said in an email to The Mirror. “The interims are based on their average Medicaid payments from the most recent six or so claim cycles. Once the system/billing issues are corrected and they submit their back billing, we will recoup all the interims.”

De Dios said the state so far has recouped about $1.9 million of the $7.5 million advanced.

McCarthy Vahey said hospital officials mentioned the problems with billing and making insurance claims when meeting with legislators on Sept. 26 while elaborating about the financial strain the cyberattack has caused.

“Part of what we talked about is certainly the impact on billing and insurance claims. All those things are done electronically. Having to do those by hand takes time and impacts the predictable nature of cash flow,” she said.

The last emails provided to The Mirror by DPH are from Aug. 21 and 22.

In one of them,Cass said, “we’ve heard anecdotally: the facilities may be coming back to pre-cyber functionality in the next few days.”

In an email from DPH attorney Henry Salron to his counterparts at the attorney general’s office, Salron forwarded an update Prospect Medical had provided to DPH on Aug. 22. Prospect Medical has not provided another update to either DPH or the attorney general since Aug. 22.

The problems, however, persisted.

That same day, Rockville Hospital issued another diversion notification that they could not accept stroke patients. Manchester Hospital was still fully diverting patients, dispatch records show, until Aug. 28. The last notification issued by either hospital was on Sept. 11, when Rockville once again put out a stroke diversion order. The next day, ECHN notified emergency medical personnel in the region that all systems were back online.

The cyberattack was over, but, as legislators learned last week, the damage it inflicted persists.

The aftermath: ‘You’re in bad shape’

Executives from Waterbury Hospital and ECHN, as well as a representative of Yale New Haven Health, went to the Capitol to meet with Lamont and lawmakers on Sept. 26 to deliver a unified message: The state needs to move fast to finalize the sale of the three hospitals to Yale. If the sale isn’t expedited, they warned, the three hospitals may no longer be financially viable.

An official from Prospect also attended.

Recently, hospital leaders told legislators, they are even having “difficulty paying for bed linens,” according to people at the meeting.

Dean Sittig, a professor of biomedical informatics at the University of Texas Health Science Center, said it’s not surprising that some hospitals take a long time to recover from a cyberattack.

The length of time it takes to restore computer systems and return to normal procedure after a data breach depends on how prepared a hospital is before an attack, he said.

“I’ve seen places take a month, even six weeks,” Sittig said. “A lot of it has to do with how your networks are configured, how prepared you are and what sort of backups you have in place. In a ransomware [attack], they lock part of your computer. If you don’t have a backup of that, you’re in bad shape.”

In the meeting with legislators, hospital officials said their computer system was old and their software needed to be updated — problems they hoped Yale New Haven Health would be able to address quickly when the sale goes through.

With cyberattacks against medical facilities becoming more common, Sittig said, some hospitals still have work to do to protect their data.

“I guess some think it can’t happen to them. They might think, ‘I’m too inconsequential for anyone to bother attacking me,’” Sittig said. “But they don’t understand that these systems work by people programming computers to try [to breach] every computer in the entire country. It’s not like they’re picking someone out and saying, ‘Let’s go to this little hospital in Connecticut and try something.’”

“This is a problem that can be prevented.”

This story was originally published by the Connecticut Mirror.

Stand up for civility

This news story is funded in large part by Connecticut Public’s Members — listeners, viewers, and readers like you who value fact-based journalism and trustworthy information.

We hope their support inspires you to donate so that we can continue telling stories that inform, educate, and inspire you and your neighbors. As a community-supported public media service, Connecticut Public has relied on donor support for more than 50 years.

Your donation today will allow us to continue this work on your behalf. Give today at any amount and join the 50,000 members who are building a better—and more civil—Connecticut to live, work, and play.

Related Content