Lamoille Health Partners is investigating suspicious computer activity that caused the Morristown-based health care provider to shut down its computer systems for nearly a week and a half.
The health center’s offices were also completely shut down for a couple of days to give time for doctors, nurses and other employees to switch over to old-fashioned manual, paper-based processes until the technology could be brought back online late last week.
According to CEO Stuart May, the “technology incident” occurred June 13.
“We do take this very seriously and brought in a cybersecurity forensic team as well as our legal team to work with us in assessing the situation to determine if there has been any compromised data,” May said. “We were able to restore our important data from backups and continue to serve all of our patients and partners.”
May said the organization set up a cloud-based server for “an extra layer of security” once the computer system was back up and running by late last week. He said medical records, billing, and other information had previously been stored on on-site servers, which were scrubbed to make sure they were clean and virus-free before being turned back on.
May said some appointments had to rescheduled during the week that staff were handling things manually — he is not sure exactly how many — and patient records had to be manually updated during that time. He said some, like Dr. David Coddaire, the medical director for family medicine in Morristown, have had plenty of practice with pen and paper over their careers.
May said the Federal Bureau of Investigation was informed and Lamoille Health hired cybersecurity company Tracepoint to conduct a comprehensive forensic search to see if any information, including patient records, had been compromised. May said there was not much he could divulge about the investigation, citing FBI protocol and federal privacy laws laid out in the Health Insurance Portability and Accountability Act (HIPAA).
As such, it remains unclear whether the suspicious activity resulted from malware or other type of computer virus or whether Lamoille Health’s servers had been purposely cyberattacked.
“At this point, we’re still going through to confirm if and what data may have been breached,” May said. “Once we are able to determine, particularly relating to our patients, if there has been any unauthorized access, we’ll promptly notify them in accordance with state, maybe even federal, laws.”
The University of Vermont Medical Center suffered a similar shutdown in October 2020, but on a much larger scale — its computer system was shut down for nearly a month, and even then, some services weren’t back online for even longer. Last summer, UVM told VTDigger the attack cost the hospital $40-$50 million, mostly in lost revenue.
May said Lamoille Health doesn’t have the same revenue stream that UVM does — the revenue “per encounter” is less for primary care — but with tighter budgets, there is also less wiggle room for revenue loss. He said he’s not yet sure how much money the health center may have lost.
In UVM’s case, the hospital reported it was not directly attacked by the malware that forced its technology shutdown. An employee took a corporate laptop on vacation and opened a personal email from a different company, which had a piece of malware attached to it — a “phishing” attempt aimed at a random slice of computer users.
The FBI said the attack was likely carried out by a cybercriminal gang long on the bureau’s radar.
May was unsure how long the investigation would take but said he is “100 percent” keen on uncovering what happened to prevent a similar occurrence in the future.
“Our systems are up and running and we’re actively providing care, and it is business as usual, even though we continue with our partners in investigating the matter,” he said.