Caught in Digital Crosshairs: Interview with a Healthcare Cyberattack Victim

Since the COVID-19 outbreak, there has been a shocking increase in cyberattacks on healthcare. According to Check Point Software, healthcare cyberattacks jumped by 45% globally over the past year—these attacks include cybercriminals holding hospital operations ransom to state-backed hackers stealing important vaccine data.

To bring the damaging impact of healthcare-related cyberattacks into focus, we spoke with a patient who unfortunately had to experience one firsthand. Our interviewee was caught in the University of Vermont Medical Center cyberattack of October 28, 2020—a ransomware attack resulting in a computer system shutdown that disrupted patient care for over 40 days. The interviewee will remain anonymous to protect his identity.

(Edited for brevity and clarity)

DPN: Tell us a little bit about yourself.

J.L.: I am 78 years old and presently live in South Burlington, Vermont, US. Before I came up to Vermont, I lived in Connecticut. While living in Connecticut, I was an administrator at a Hartford hospital for exactly 30 years.

What hospital do you go to for your personal appointments?

The hospital that I use is the University of Vermont Medical Center, … it serves, for the most part, the entire state of Vermont.

Can you explain why you contacted the hospital on October 28, 2020? What tipped you off that something was not right?

I’m a very complicated patient to the doctors. My primary problem is I have multiple myeloma, which is cancer of the bone marrow. I got a pacemaker, along with some other cardiac issues. I’m also a type 2 diabetic. So, I’m a real challenge.

I may very well have been one of the first people who, outside the hospital, realized that something was up. I called my primary nurse but got the receptionist. He said, “I don’t know if I can get a message to her. Something’s funny with my computer. I can’t get on the Internet. Our phones aren’t working properly. I’ll have to handwrite out a message and actually walk it down to her.”

Can you explain how the cyberattack disrupted your treatment?

In the Cancer Center… they could run all their machines — the problem was they couldn’t get to the patients’ records so they didn’t know what … dose of which chemotherapies …

I couldn’t get on the patient portal, which is called My Chart. The portal gives you information about your appointments, your test results, and all sorts of things. That was down. At first, just kind of seemed like an inconvenience.

A day or two later, I woke up with swollen ankles. For me, someone with a cardiac condition, it can be a sign of something bad happening. The heart isn’t moving enough blood through your system. I wouldn’t have been able to get through to cardiology, except the nurse practitioner befriended my wife and had given out her personal information.

Through that – because the system wasn’t connected – I was able to get ahold of her and ask, “What should I do?” I was stuck. This had me more concerned than anything else. There’s a chance when your blood pools like that something is wrong with you.

I remember[ed] the pharmacy where I had my prescription filled … the nurse had to call the pharmacy. They were able to backtrack in their system and tell her what it was and what the dosage was …

How did the cyberattack affect the hospital’s healthcare services, to your knowledge?

There are certainly patients out there who are critically ill. It’s important for them to know what’s going on and to be able to communicate with their doctors. But I gotta tell you it was at least four to six weeks before the patient portal was back online. So, some of those people were getting really concerned.

I was able to get back into the hospital, which was probably a couple of weeks later. I get in for tests and treatments and other stuff. I could tell by the questions patients were asking, tone of their voices, and their body language that they were concerned. I won’t say they were scared, but they were definitely concerned. Like, how am I gonna know this? How my gonna know that?

Nobody had answers for them because nobody knew anything.

A lot of these patients come from very economically depressed areas. For them, it’s a real inconvenience and an expense to get to the hospital and get denied treatment.

How were medical professionals reacting to the situation?

I can’t say enough good things about the medical staff, from my personal physician down to the receptionist. The way the hospital administration handled it was to keep their cards close to their chest. That wasn’t just their decision—they were working closely with the FBI. The paper said the FBI said to make no comment. So, there wasn’t an awful lot of information available to the patients.

How much did you know about cyberwarfare before the cyberattack occurred?

Yeah, I’ve heard the word. I could define it, but I never thought they could be as severe as that. I never realized it could run this deep and be this harmful. There’s obviously a lot of stories about it, but often they refer to what happened in other places. Now, the attacks are here.

Is there anything that you would want folks out there to know or understand about cyberwarfare?

I would advise people to print out your medical summary. It’s gonna have some, but not all of your information. You won’t get every last detail, but if this ever happens to you, at least you’ll be prepared.

When this comes on the news, listen. It is a real and serious threat—there’s no doubt about it. I was guilty, in the beginning, of thinking, “No big deal.” But this whole thing has shown me that this is becoming an arms race.

I was born during the Second World War. I clearly remember the Korean War, Vietnam, and all the small things that have happened since then. Yeah, this is serious. I never thought I’d see an electronic war over an open battlefield war, but here it is. It’s a horrible thing, and I don’t see anybody giving up.

Thank you so much for your time.

Have you been personally affected by a cyberattack on a hospital or healthcare organization? If so, we want to hear from you. Email us at [email protected] or let us know on Twitter using the hashtag #DigitalPeaceNow.

The University of Vermont Medical Center ransomware attack has not been attributed to any nation state.