MedStar Health patients were being turned away or treated without important computer records Tuesday as the health-care giant worked to restore online systems crippled by a virus.
By Tuesday evening, MedStar staff could read — but not update — thousands of patient records in its central database, though other systems remained dark, a spokeswoman said.
MedStar officials have refused to characterize the attack as “ransomware,” a virus used to hold systems hostage until victims pay for a key to regain access. But a number of employees reported seeing a pop-up message on their computer screens seeking payment in bitcoins, an Internet currency. One woman who works at MedStar Southern Maryland Hospital Center sent The Washington Post an image of the ransom note, which demanded that the $5 billion health-care provider pay 45 bitcoins — equivalent to about $19,000 — in exchange for the digital key that would release the data.
“You just have 10 days to send us the Bitcoin,” the note read, “after 10 days we will remove your private key and it’s impossible to recover your files.”
The cyberattack, which is being investigated by the FBI, forced MedStar’s 10 hospitals and more than 250 outpatient centers to shut down their computers and email on Monday. The health-care system employs more than 30,000 people and treats hundreds of thousands of patients in the Washington region.
Spokeswoman Ann Nickels said that its facilities, which stretch from Arlington to Baltimore, have operated safely throughout the crisis.
But two nurses said the cyberattack created a chaotic environment in at least one MedStar location, and a doctor at another facility said it had created a “patient safety issue.”
At MedStar Washington Hospital Center, one nurse who worked overnight described the situation as difficult. Without access to email and computer systems, the medical staff fell back on seldom-used paper records that had to be faxed or hand-delivered. But this nurse and another told The Post that the paper charts are far less comprehensive than those kept in digital form. They can be missing vital pieces of patient information: complete medical histories, every drug prescribed, allergies to medicine and treatment plans.
Without the computer systems, they explained, the health-care facilities were operating without a number of essential safeguards meant to hinder mistakes.
“Those are all in place to prevent human error,” the doctor said, “and you lose all that when you lose the computer system.”
Nickels denied that the cyberattack’s impact was that dramatic.
“There’s absolutely no indication of that from clinical leaders who are reporting in several times a day,” she said. “It’s stressful, but I think we all know what we need to do.”
MedStar’s chief medical officer, Stephen R.T. Evans, said in a statement Tuesday afternoon that “the quality and safety of our patients remains our highest priority, which has not waned throughout this experience.”
The nurse, however, said the challenges were serious.
For example, because lab results were taking so much longer to process, the nurse continued to give one patient a powerful antibiotic — with a number of potentially serious side effects — that should have been discontinued.
“The medication,” the nurse said, “should have been stopped eight hours earlier.”
The doctor echoed that concern. Speedy lab results, he said, are crucial in determining the best way to treat infections and other ailments. He also criticized MedStar’s preparation for the attack and how it communicated with employees afterward.
An emergency room nurse at Washington Hospital Center said ambulances continued to arrive Monday afternoon despite the staff’s struggles to remain organized without their computers.
Eventually, she said, ambulances carrying patients with conditions not deemed life-threatening were diverted elsewhere.
Still, problems persisted throughout the evening. The nurse said she noticed a number of paper charts with pages that lacked labels containing each patient’s identifying information. Without those labels, she said, documents could be placed on the wrong chart.
“There are a lot of people who have never done paper charting before, so it was a little chaotic for them,” she said. “I think the biggest fear that I had when I was working yesterday was the big opportunity for error.”
Derek Farwagi, 73, learned of the crisis Tuesday when he arrived at MedStar Georgetown University Hospital for his quarterly appointment with a kidney specialist. A doctor, he said, told him that they couldn’t access his health records, so his appointment had been canceled.
“It’s nuts that they don’t have a crisis-management system,” Farwagi said. “It’s absolutely irresponsible.”
The doctor also told him, he said, that “the hackers were demanding a ransom.”
A spokesman for the FBI declined to comment on the investigation, which comes just weeks after cyberattacks on at least three medical institutions in California and Kentucky. In one case last month, a hospital in Los Angeles paid hackers $17,000 in bitcoins to free its system.
In the Washington area, patients with significant medical conditions encountered treatment delays.
Cynthia Decker, who underwent a kidney transplant in December, had an appointment scheduled at MedStar Georgetown on Monday, but she received a call from a nurse practitioner just before she arrived at the facility.
“All the computers are down,” she recalled the nurse practitioner saying. “Don’t come in.”
Her appointment was moved to Tuesday, but MedStar canceled Tuesday morning.
“They’re down again,” a staffer told her at 8 a.m.
The spouse of a man receiving cancer treatment at one MedStar facility told The Post that he has been unable to receive radiation treatment for two days because of the shutdown. The spouse — concerned by MedStar’s assertion on Monday that “facilities remain open and functioning” — said that “the individuals most dependent on reliable, safe and uninterrupted treatment (i.e. cancer patients) are in fact currently not receiving at least some of those treatments.”
MedStar officials acknowledged treatment delays.
On Monday, they stressed that they had “acted quickly” to contain the virus by shutting down their computer systems and had found “no evidence that information has been stolen.”