In the wake of a debilitating cyberattack against one of the nation’s largest health care systems, Marvin Ruckle, a nurse at an Ascension hospital in Wichita, Kansas, said he had a frightening experience: He nearly gave a baby “the wrong dose of narcotic” because of confusing paperwork.
A May 8 ransomware attack against Ascension, a Catholic health system with 140 hospitals in at least 10 states, locked providers out of systems that track and coordinate nearly every aspect of patient care. They include its systems for electronic health records, some phones, and ones “utilized to order certain tests, procedures and medications,” the company said in a May 9 statement.
More than a dozen doctors and nurses who work for the sprawling health system told Michigan Public and KFF Health News that patient care at its hospitals across the nation was compromised in the fallout of the cyberattack over the past several weeks. Clinicians working for hospitals in three states described harrowing lapses, including delayed or lost lab results, medication errors, and an absence of routine safety checks via technology to prevent potentially fatal mistakes.
Despite a precipitous rise in cyberattacks against the health sector in recent years, a weeks-long disruption of this magnitude is beyond what most health systems are prepared for, said John S. Clark, an associate chief pharmacy officer at the University of Michigan health system.
“I don’t believe that anyone is fully prepared,” he said. Most emergency management plans “are designed around long-term downtimes that are into one, two, or three days.”
Ascension in a public statement May 9 said its care teams were “trained for these kinds of disruptions,” but did not respond to questions in early June about whether it had prepared for longer periods of downtime. Ascension said June 14 it had restored access to electronic health records across its network, but that patient “medical records and other information collected between May 8” and when the service was restored “may be temporarily inaccessible as we work to update the portal with information collected during the system downtime.”
Ruckle said he “had no training” for the cyberattack.
Back to Paper
Lisa Watson, an intensive care unit nurse at Ascension Via Christi St. Francis hospital in Wichita, described her own close call. She said she nearly administered the wrong medication to a critically ill patient because she couldn’t scan it as she normally would. “My patient probably would have passed away had I not caught it,” she said.
Watson is no stranger to using paper for patients’ medical charts, saying she did so “for probably half of my career,” before electronic health records became ubiquitous in hospitals. What happened after the cyberattack was “by no means the same.”
“When we paper-charted, we had systems in place to get those orders to other departments in a timely manner,” she said, “and those have all gone away.”
Melissa LaRue, an ICU nurse at Ascension Saint Agnes Hospital in Baltimore, described a close call with “administering the wrong dosage” of a patient’s blood pressure medication. “Luckily,” she said, it was “triple-checked and remedied before that could happen. But I think the potential for harm is there when you have so much information and paperwork that you have to go through.”
Clinicians say their hospitals have relied on slapdash workarounds, using handwritten notes, faxes, sticky notes, and basic computer spreadsheets — many devised on the fly by doctors and nurses — to care for patients.
More than a dozen other nurses and doctors, some of them without union protections, at Ascension hospitals in Michigan recounted situations in which they say patient care was compromised. Those clinicians spoke on the condition that they not be named for fear of retaliation by their employer.
An Ascension hospital emergency room doctor in Detroit said a man on the city’s east side was given a dangerous narcotic intended for another patient because of a paperwork mix-up. As a result, the patient’s breathing slowed to the point that he had to be put on a ventilator. “We intubated him and we sent him to the ICU because he got the wrong medication.”
A nurse in a Michigan Ascension hospital ER said a woman with low blood sugar and “altered mental status” went into cardiac arrest and died after staff said they waited four hours for lab results they needed to determine how to treat her, but never received. “If I started having crushing chest pain in the middle of work and thought I was having a big one, I would grab someone to drive me down the street to another hospital,” the same ER nurse said.
Similar concerns reportedly led a travel nurse at an Ascension hospital in Indiana to quit. “I just want to warn those patients that are coming to any of the Ascension facilities that there will be delays in care. There is potential for error and for harm,” Justin Neisser told CBS4 in Indianapolis in May.
Several nurses and doctors at Ascension hospitals said they feared the errors they’ve witnessed since the cyberattack began could threaten their professional licenses. “This is how a RaDonda Vaught happens,” one nurse said, referring to the Tennessee nurse who was convicted of criminally negligent homicide in 2022 for a fatal drug error.
Reporters were not able to review records to verify clinicians’ claims because of privacy laws surrounding patients’ medical information that apply to health care professionals.
Ascension declined to answer questions about claims that care has been affected by the ransomware attack. “As we have made clear throughout this cyber attack which has impacted our system and our dedicated clinical providers, caring for our patients is our highest priority,” Sean Fitzpatrick, Ascension’s vice president of external communications, said via email on June 3. “We are confident that our care providers in our hospitals and facilities continue to provide quality medical care.”
The federal government requires hospitals to protect patients’ sensitive health data, according to cybersecurity experts. However, there are no federal requirements for hospitals to prevent or prepare for cyberattacks that could compromise their electronic systems.