Universal Health Services, one of the largest healthcare providers in the U.S., has been hit by a ransomware attack.

The attack hit UHS systems early on Sunday morning, according to two people with direct knowledge of the incident, locking computers and phone systems at several UHS facilities across the country, including in California and Florida.

One of the people said the computer screens changed with text that referenced the “shadow universe,” consistent with the Ryuk ransomware. “Everyone was told to turn off all the computers and not to turn them on again,” the person said. “We were told it will be days before the computers are up again.”

It’s not immediately known what impact the ransomware attack is having on patient care, or how widespread the issue is.

UHS published a statement on Monday, saying its IT network “is currently offline, due to an IT security issue.”

“We implement extensive IT security protocols and are working diligently with our IT security partners to restore IT operations as quickly as possible. In the meantime, our facilities are using their established back-up processes including offline documentation methods. Patient care continues to be delivered safely and effectively,” the statement said.

“No patient or employee data appears to have been accessed, copied or otherwise compromised,” it added.

An executive who oversees cybersecurity at another U.S. hospital system, who asked not to be named as they were not authorized to speak to the press, told TechCrunch that patient medical data is “likely safe” as UHS relies on Cerner, a healthcare technology company, to handle its patients’ electronic health records.

Jane Crawford, a spokesperson for UHS, did not comment further when reached by TechCrunch.

UHS has 400 hospitals and healthcare facilities in the U.S. and the U.K., and serves millions of patients each year.

The Ryuk ransomware is linked to a Russian cybercrime group, known as Wizard Spider, according to security firm Crowdstrike. Ryuk’s operators are known to go “big game hunting” and have previously targeted large organizations, including shipping giant Pitney Bowes and the U.S. Coast Guard.

Some ransomware operators said earlier this year that they would not attack health organizations and hospitals during the COVID-19 pandemic, but Ryuk’s operators did not.

Last week, police in Germany launched a homicide investigation after the death of a woman who was diverted to another hospital following a ransomware attack.

We’ll have more on the UHS incident as we get it.

Updated with a brief statement from UHS.

https://techcrunch.com/2020/09/28/universal-health-services-ransomware/

Universal Health Services, Inc. to Pay $117 Million to Settle False Claims Act Allegations

Alleged Violations Involve Medically Unnecessary Inpatient Behavioral Health Services

PHILADELPHIA – United States Attorney William M. McSwain today announced that Universal Health Services, Inc. and UHS of Delaware, Inc. (together, UHS) have agreed to pay $117 million to resolve alleged violations of the False Claims Act for billing for medically unnecessary inpatient behavioral health services and failing to provide adequate and appropriate services. UHS, which is headquartered in King of Prussia, Pennsylvania, owns and provides management and administrative services to nearly 200 acute care inpatient psychiatric hospitals and residential psychiatric and behavioral treatment facilities nationwide.

The resolution of these claims in the Eastern District of Pennsylvania is part of a comprehensive settlement between the Department of Justice and UHS, which arose out of UHS’s billing practices in multiple healthcare institutions across the United States. UHS will pay the United States and participating states a total of $117 million to resolve allegations that its hospitals and facilities knowingly submitted false claims for payment to the Medicare, Medicaid, TRICARE, Department of Veterans Affairs, and Federal Employee Health Benefit programs for inpatient behavioral health services that were not reasonable or medically necessary and/or failed to provide adequate and appropriate services for adults and children admitted to UHS facilities across the country.

The government alleged that between January 2006 and December 2018, UHS facilities admitted as patients federal healthcare beneficiaries who were not eligible for inpatient or residential treatment because their conditions did not require that level of care, while also failing to properly discharge appropriately admitted beneficiaries when they no longer required inpatient care. The government further alleged that UHS facilities billed for services not rendered, billed for improper and excessive lengths of stay, failed to provide adequate staffing, training, and/or supervision of staff, and improperly used physical and chemical restraints and seclusion. In addition, UHS facilities allegedly failed to develop and/or update individual assessments and treatment plans for patients, failed to provide adequate discharge planning, and failed to provide required individual and group therapy services in accordance with federal and state regulations.

https://www.justice.gov/usao-edpa/pr/universal-health-services-inc-pay-117-million-settle-false-claims-act-allegations

Of the $117 million to be paid by UHS to resolve these claims, the federal government will receive a total of $88,124,761.27, and a total of $28,875,238.73 will be returned to individual states, which jointly fund state Medicaid programs.

“Quality mental health treatment is critical for the patients who place their trust in the hands of service providers,” said U.S. Attorney McSwain. “The allegations involved in this matter – inappropriate billing and inadequate care – have no place in our health care system. Behavioral health service entities must have strong mechanisms in place, including appropriate supervision and oversight, to avoid fraud and abuse in order to ensure they provide the level of care that their patients deserve.”

The government’s investigation included 19 lawsuits filed under the whistleblower provision of the False Claims Act, which permits private citizens to file suit on behalf of the United States for false claims and share in a portion of the government’s recovery. The global settlement with UHS involved 18 cases that are currently pending in the Eastern District of Pennsylvania, Western District of Michigan, the Eastern District of Michigan, and Northern District of Georgia. As part of the resolution with UHS, the whistleblowers will receive $15,862,457.03, from the federal share of the settlement.

“We sincerely thank the relators in these cases. Together with their lawyers, these citizens provided essential assistance to the government throughout this case. Without the willingness of relators to shed light on allegations of fraud, preserving government program funds would be far more challenging. Their efforts played a vital role in the resolution of these cases,” said U.S. Attorney McSwain.

“The Department of Justice is committed to protecting patients and taxpayers by ensuring that the treatment provided to federal healthcare beneficiaries is reasonable, necessary, and free from illegal inducements,” said Acting Assistant Attorney General Ethan P. Davis for the Department of Justice’s Civil Division. “The Department will continue to be especially vigilant when vulnerable patient populations are involved, like those served by behavioral healthcare providers.”

In connection with the settlements, UHS has entered into a Corporate Integrity Agreement with the U.S. Department of Health and Human Services, Office of Inspector General (OIG), which will remain in effect for five years. UHS must retain an independent monitor, selected by the OIG, which will assess UHS’s Behavioral Health Division’s patient care protections and report to the OIG. In addition, an independent review organization will perform annual reviews of UHS inpatient behavioral health claims to federal health care programs.

https://www.justice.gov/usao-edpa/pr/universal-health-services-inc-pay-117-million-settle-false-claims-act-allegations