Prospect Medical Suffers Critical ‘Data Security Incident,’ Emergency Departments Temporarily Close

“These are threat-to-life crimes, which risk not only the safety of the patients within the hospital but also risk the safety of the entire community that depends on the availability of that emergency department to be there.” -John Riggi, national advisory on cybersecurity and risk for the American Hospital Association and former FBI cybersecurity specialist

Primary care services, including emergency departments, at hospitals and clinics operated by Prospect Medical Holdings were closed on Friday, August 4, 2023, after a cyberattack on the company’s systems and data.

After first learning of the incident on Thursday, the company “took [their] systems offline to protect them and launched an investigation with the help of third-party cybersecurity specialists,” according to a company statement provided to the Associated Press.

As of Tuesday, August 8, 2023, the company’s website still carried a banner stating, “Prospect Medical Holdings, along with all Prospect Medical facilities, is experiencing a systemwide outage. We are working to resolve the issue as soon as possible and regret any inconvenience.”

Screenshot of a banner seen on the Prospect Medical Holdings website on August 8, 2023.

According to an annual IBM report on data breaches, healthcare was the most affected industry for the year ending in March 2023, with an average cost of $11 million per breach (the second most affected was the financial sector with an average cost of almost $6 million per breach). Given the large amount of personally identifiable information (PII) and protected health information (PHI) held by healthcare companies, the sector is a prime target for threat actors.

This cyberattack appears to be a ransomware attack; however, officials neither confirmed or denied this detail. A ransomware attack is a “type of malicious attack where attackers encrypt an organization’s data and demand payment to restore access,” according to the National Institute of Standards and Technology (NIST). The FBI advises victims of ransomware attacks not to pay ransoms, as there is no guarantee that copied data will not be disclosed or sold at a later date, often on the dark web.

Adrienne Watson, a spokesperson for the National Security Council, said, “The Department of Health and Human Services has been in contact with the company to offer federal assistance, and we are ready to provide support as needed to prevent any disruption to patient care as a result of this incident,” and that the White House was monitoring the situation.

National Advisory for Cybersecurity and Risk for the American Hospital Association and a former FBI cybersecurity specialist, John Riggi, said, “These are threat-to-life crimes, which risk not only the safety of the patients within the hospital but also risk the safety of the entire community that depends on the availability of that emergency department to be there.”