A list of healthcare cyberattacks that disrupted emergency services in 2023

By Sylvie Truong, The Readable
Dec. 22, 2023 11:45PM GMT+9

The healthcare sector has become a prime target for cyberattacks and the repercussions extend beyond data breaches. Ambulance diversions, emergency room closures, and surgery postponements resulting from cyberattacks are systemic vulnerabilities that could turn deadly.

The following list includes healthcare organizations and medical facilities that faced emergency service disruptions due to cyberattacks in 2023. Additionally, two other organizations are included due to the tactics that have been used against patients for extortion. Please note this is not a comprehensive list of all organizations attacked this year.

1. Liberty Hospital, USA

Date: December 19
Attack method: Undisclosed
Attacker: Undisclosed/Unknown
Facility Details: 1 hospital
Impact: On December 19, KSHB 41 TV news station reported emergency crews and the Kansas City Fire Department were transporting Liberty Hospital patients to other hospitals. Liberty is asking people to seek emergency care at other locations and are “unable to estimate how long the computer issue will last.” Patients with scheduled appointments are being contacted to discuss next steps.

2. Ardent Health, USA

Date: November 23
Attack method: Ransomware
Attacker: Unknown
Facility Details: 30 hospitals, 200 healthcare sites, and over 1,400 aligned providers
Impact: Emergency room patients in multiple states were diverted to other hospitals and surgeries were rescheduled. By November 30, all emergency rooms were accepting patients by ambulance, but some non-emergent procedures were still postponed. As of December 6, all clinics have resumed operations, but some non-emergent procedures are still postponed.

3. Tri-City Medical Center, USA

Date: November 9
Attack method: Undisclosed
Attacker: Claimed by INC ransomware group
Facility Details: 1 hospital
Impact: According to NBCs San Diego Channel 7 News TV Station, Tri-City placed itself on Internal Disaster diversion in collaboration with San Diego County’s Office of Emergency Services. Emergency patients were diverted to other hospitals as the hospital was unable to accept patients through 911 systems. In addition, the San Diego Union Tribune reported that elective surgeries were canceled. NBC 7 reached out to Tri-City five days after the attack to see if emergency services were still impacted, but Tri-City did not respond.

4. TransForm Shared Service Organization, Canada

Date: October 23
Attack method: Ransomware
Attacker: Claimed by Daixin Team
Facility Details: 5 hospitals were impacted
Impact: According to the Canadian Broadcasting Corporation (CBC), radiation treatments for cancer patients were transferred to other hospitals, surgeries were postponed, and people were asked to visit local clinics instead of the hospitals. On November 8, CBC reported it could take more than a month for the hospitals to restore their systems and that they will rebuild their network from scratch. On November 30, CBC reported that a $480 million lawsuit has been filed against the hospitals.

5. HealthAlliance, Inc., USA

Date: October 12
Attack method: Undisclosed
Attacker: Undisclosed/Unknown
Facility Details: 3 hospitals were impacted
Impact: On December 12, CBS News reported that by October 19, ambulances were diverted and emergency medical services crews had to decide whether to discharge admitted patients or transfer them to other hospitals. On October 21, HealthAlliance released an update saying ambulance diversions ended, but emergency stroke patients still needed to be treated elsewhere.

6. Carthage Area Hospital, Claxton-Hepburn Medical Center, USA

Date: August 31
Attack method: Ransomware
Attacker: LockBit ransomware
Facility Details: 2 hospitals
Impact: On September 2, Channel 7 News TV Station reported the emergency rooms of both hospitals had been placed on diversion. On September 5, Claxton-Hepburn Medical Center announced on Facebook that all out-patient appointments, including the cardiology lab and outpatient lab draws would be rescheduled. In a separate update, they said the cancer treatment center was also facing setbacks. On September 15, the hospitals announced the emergency departments, dialysis, cancer treatment, and wound care services were fully operational. Radiology and lab services were also restored, but some outpatient appointments were still being rescheduled.

7. Prospect Medical Holdings, USA

Date: August 1
Attack method: Ransomware
Attacker: Claimed by Rhysida ransomware gang
Facility Details: 16 hospitals, 165 outpatient facilities and clinics
Impact: Hospital spokespersons told CNN urgent care centers were closed, ambulances diverted stroke and trauma patients to other hospitals, and surgeries were canceled. Additionally, Connecticut’s Channel 3 Eyewitness News TV Station reported closures of primary care locations, specialty locations, a stroke center, imaging centers, blood drawing facilities, outpatient laboratories, and more. On September 13,  Becker’s Hospital Review, a medical industry magazine, reported that all 16 hospitals were back online. On December 14, local news outlet CT Mirror reported that Yale New Haven Health will purchase three Prospect hospitals in a $435 million acquisition.

8. Idaho Falls Community Hospital, Mountain View Hospital, and partnering clinics, USA

Date: May 29
Attack method: Undisclosed
Attacker: Undisclosed/Unknown
Facility Details: 2 hospitals, multiple clinics
Impact: Ambulances were diverted to different hospitals and some partnering clinics were closed. On June 13, Idaho Falls Community Hospital and Mountain View Hospital announced that all partnering clinics were re-opened. On June 22nd, Idaho Falls Community Hospital said they were once again accepting all ambulance traffic.

9. Tallahassee Memorial HealthCare, USA

Date: February 3
Attack method: Undisclosed
Attacker: Undisclosed/Unknown
Facility Details: 1 hospital
Impact: Emergency patients were diverted, all non-emergency surgeries and out-patient procedures were canceled, and only Level 1 trauma patients were accepted. On February 15, Tallahassee Memorial Healthcare announced they restored their systems and that all locations had returned to standard operations.

10. Norton Healthcare, USA

Date: May 9
Attack method: Ransomware
Attacker: Claimed by AlphV/Black Cat ransomware gang
Facility Details: 8 hospitals, over 40 clinics
Impact: On May 23, SC Media said patients seeking non-emergency care were urged to visit other locations. Prescription and lab delays were also reported. On June 8, WHAS Channel 11 News TV Station reported surgeries, appointments, and test results were still postponed due to the attack. Norton is mentioned on this list due to the ruthlessness of AlphV/Black Cat. In February, AlphV/Black Cat attacked Lehigh Valley Health Network and leaked breast cancer patients’ sensitive photographs.

11. Fred Hutch Cancer Center, USA

Date: November 19
Attack method: Ransomware
Attacker: Claimed by Hunters International; code similarities to Hive ransomware
Facility Details: 1 hospital
Impact: According to Seattle’s Channel 7 News TV Station, the hackers continue to issue direct threats to cancer patients demanding ransom. On December 14, Channel 7 News reported the cancer center is still figuring out the number of patients who had their information leaked.

In conclusion, as the frequency of these attacks escalates, it is imperative that our defenses become more robust. Strengthening international cooperation among security experts, law enforcement agencies, prosecutors, and lawmakers is vital for eradicating the threats posed by cybercriminals. Safeguarding the integrity of healthcare systems has never been more crucial for ensuring the well-being of patients and the protection of human life.


The cover image of this article was designed by Areum Hwang. This article was reviewed by Dain Oh and copyedited by Arthur Gregory Willers.

Sylvie Truong is a regular contributor to The Readable. Her interest in cybersecurity began in 2015, while working as a biomedical researcher at Columbia University’s Irving Medical Center. She worked in the Molecular Imaging and Neuropathology Division, analyzing data using various software programs. Due to her experience there, she developed an interest in cybersecurity and implementing better practices to protect personal data, valuable research information, and more. Sylvie holds a master’s degree in neuroscience and education from Columbia University.