Ascension cyberattack ‘causing chaos’ for Michigan hospitals

Updated Thursday May 9, 2024, 4:40 p.m.

Patients who can avoid going to Ascension emergency departments should do so for now, according to a doctor at Ascension St. John in Detroit — and those who must come to Ascension ERs should bring a written list of the medications, health history and the names of doctors or specialists they see.

“If they can go to a different hospital’s system to get care, they should do that,” said the doctor, who was not authorized to speak publicly about the cyberattack. “It’s going to take us twice as long at the ER, we’re all doing it via paper, it is going to slow down everything that we are doing. If you’re already an inpatient, we’re getting things done. But if you have a choice to go elsewhere, our wait times are going to be longer.”

Without access to electronic medical records, another problem they’re encountering is that many patients just don’t know the names of medications they take, what their full health history is, or “who their doctor is, which surgeon they saw, and you just have no idea,” the doctor said. Many patients are asking the doctors “can’t you just pull it up on the [electronic] chart?”

Original post: A massive cyberattack continued to cripple Ascension’s 140 hospitals across 19 states and Washington, D.C. for a second day on Thursday. Staff at different Michigan sites said serious heart attack patients are being transferred or diverted from at least two emergency departments, elective surgeries have been canceled at Ascension Borgess Hospital, and staff at Ascension St. John in Detroit have been instructed to “use Google sheets” to track how many patients are in the hospital, with no clear end in sight.

“A cyberattack has left 140 facilities without access to all technology applications throughout the system on May, 8, 2024 around 7 a.m.,” according to an internal email sent to Ascension St. John staff on Thursday morning. “Ascension National consultants are working to remedy the situation as soon as possible, but anticipate there will be a prolonged period of time before we return to normal activity…Use your best clinical judgment to minimize diagnostic testing and expeditious discharge of patients to reduce demand on our system while we transition to full downtime procedures.”

Nearly all medical documentation is being handwritten on paper, from medication orders to notes about operations. “Something will be missed,” said a nurse at Ascension Borgess in Kalamazoo, who wasn’t authorized to speak publicly about the cyberattack.

“It’s caused the biggest chaos,” the nurse said. “It’s a big safety concern for all the RNs, to have the physicians write out the orders. At least half the staff and surgery residents have never written [paper] orders. I literally had to show a resident what an order form is. And they said, ‘What do I do with this?’”

All elective surgeries at Ascension Borgess have been canceled for the day, the nurse said, and those scheduled for Friday will likely be canceled as well.

“We should be putting through 30 to 40 cases [per day] and we have 7 [surgeries] on today, if that gives you any idea,” the Kalamazoo nurse said.

Some ERs sending major heart attack patients to other hospitals

Emergency room staff at Ascension St. John in Detroit said they were diverting the most severe heart attack patients to other hospitals, but were still accepting stroke and trauma patients. Internal emails at another health system in the metro-Detroit area indicate at least one heart attack patient had been transferred from Ascension Providence in Novi, and that there could be more.

Care for routine adult and pediatric ER patients continued, a doctor at Ascension St. John said Thursday. “We can kind of shift and take care of things in any kind of disaster, and we’ve had temporary kind of computer issues in the past and we just switched to paper,” said the physician, who wasn’t authorized to speak publicly.

“We can’t even put in orders for food. It’s like a disaster area. There are carts with food and water [coming through] in the different floors. Everything is a phone call, paper, pencil. The more people and numbers that you know, the better.”

Meanwhile, it was “all hands on deck” for the pharmacy department, the Detroit doctor said. “Things are taking longer. There’s always concern about that. Have there been any major issues? None that I’m aware of. But things are happening slower. So that could be a problem if you needed a certain medication at the ready, that we don’t have at our department.”

Staff feel they’re being “kept in the dark” 

Ascension released a statement about the cyberattack on Thursday, but a spokesperson declined to answer additional questions:

“On Wednesday, May 8, we detected unusual activity on select technology network systems, which we now believe is due to a cyber security event. At this time we continue to investigate the situation. We responded immediately, initiated our investigation and activated our remediation efforts. Access to some systems have been interrupted as this process continues.

Our care teams are trained for these kinds of disruptions and have initiated procedures to ensure patient care delivery continues to be safe and as minimally impacted as possible. There has been a disruption to clinical operations, and we continue to assess the impact and duration of the disruption.

We have engaged Mandiant, a third party expert, to assist in the investigation and remediation process, and we have notified the appropriate authorities. Together, we are working to fully investigate what information, if any, may have been affected by the situation. Should we determine that any sensitive information was affected, we will notify and support those individuals in accordance with all relevant regulatory and legal guidelines.

We are reaching out to our business partners to ensure they are aware of the situation so they can take appropriate steps to safeguard their systems. We encourage all business partners to coordinate with the Ascension Technology partners to address any specific questions.”

Ascension has reported at least four cyber breaches that exposed “protected health information” in Michigan since 2019, according to federal data. The largest breach was reported in February 2022, with patient information for over 27,000 people across the state exposed in that incident.

Staff expressed frustration with communication from management, saying they were being given little information.

“They’re not telling us anything either,” a nurse said. “They’re being tight lipped. Management, honestly I haven’t even seen a manager today. Nobody is talking to us about what the plan is, or what things are going to look like. [Someone said] it could be days, could be weeks, could be months. That’s ridiculous… They think we should show up and shut up and do our job.”

An ER doctor at Ascension St. John said some updates were being given via phone call. “They say they’re working on it; just general sort of communication. We’re not very happy about it.

“But in the ED, we’re just trying to solve problems. So we will do our best to take care of [the patients’] emergencies, and get them where they need to be and the tests that they need. And I’m going to keep pushing with administration to get answers sooner.”

Michigan Public reporter Adam Yahya Rayes contributed reporting to this story.