An undated file photo of UT Health Tyler, part of the UT Health East Texas network, in Tyler, Texas.
Washington CNN  — 

A cyberattack that diverted ambulances from hospitals in East Texas on Thanksgiving Day is more widespread than previously known and has also forced hospitals in New Jersey, New Mexico and Oklahoma to reroute ambulances, hospital representatives told CNN on Monday.

All of the affected hospitals are owned, or partly owned, by Ardent Health Services, a Tennessee-based company that owns more than two dozen hospitals in at least five states.

Among the hospitals currently unable to accept ambulances are a 263-bed hospital in downtown Albuquerque, New Mexico; a 365-bed hospital in Montclair, New Jersey; and a network of several hospitals in East Texas that serve thousands of patients a year.

It’s just the latest example of how the scourge of ransomware – which locks computers so hackers can demand a fee – has disrupted services at health care providers throughout the coronavirus pandemic.

In a statement Monday, Ardent Health Services confirmed that a ransomware attack caused the disruption and that its facilities were “diverting some emergency room patients to other area hospitals until systems are back online.” Hospital facilities were also forced to reschedule some non-emergency surgeries.

Patient care “continues to be delivered safely and effectively in its hospitals, emergency rooms, and clinics,” Ardent Health said on Monday.

A nurse working at one of the affected New Jersey hospitals told CNN that staff rushed “to print out as much patient information as we could” as it became clear that the hospital was shutting down networks because of the hacking incident.

“We are doing everything on paper,” said the nurse, who spoke on condition of anonymity because they were not authorized to speak to reporters.

“Everything becomes a lot slower,” the nurse said, referring to the reliance on paper, rather than computers, to track things like lab work for patients. “We drill on that a few times a year, but it still sucks.”

Chiara Marababol, a spokesperson for two New Jersey hospitals – Mountainside Medical Center and Pascack Valley Medical Center – affected by the hack, said the hospitals continue to care for patients in emergency rooms.

“[H]owever, we have asked our local EMS systems to temporarily divert patients in need of emergency care to other area facilities while we address our system issues,” Marababol told CNN in an email.

A warning from the feds

Officials with the federal US Cybersecurity and Infrastructure Security Agency (CISA) reached out to Ardent Health Services on November 22, the day before Thanksgiving, to warn the company of malicious cyber activity affecting its computer systems, a person familiar with the matter told CNN.

Ardent Health spokesperson Will Roberts confirmed CISA officials contacted the company “to make us aware of information about suspicious activity in our system.”

But that was after Ardent Health detected “an anomaly” on its computer systems on November 20 and “engaged additional external cybersecurity resources to investigate,” Roberts told CNN. On Thanksgiving Day, Ardent Health realized it was ransomware.

A CISA spokesperson referred questions about the communications to Ardent Health.

The outreach to Ardent Health was part of a program CISA began this year to try to warn organizations in critical industries that they risk falling victim to ransomware attacks unless they take defensive measures. CISA officials claim to have thwarted numerous ransomware attacks through the program.

The broad fallout from the Ardent Health hack shows how cyberattacks that hit a parent company or key service provider can have cascading impacts on critical infrastructure operators such as hospitals.

Cybercriminals, often based in Eastern Europe or Russia, have throughout the coronavirus pandemic repeatedly disrupted healthcare organizations across the US, locking computers and demanding a ransom. Many of the hacks have hit smaller health clinics that are ill-equipped to deal with the threat.

And in the last nine months alone, other cyber attacks have resulted in ambulances being diverted from hospitals in ConnecticutFloridaIdaho and Pennsylvania.

A 2021 study by CISA specialists found that a ransomware attack can hinder patient care and strain resources at a hospital for weeks, if not months.