UVM Health Network
Newsroom

Statement from UVM Health Network on Cyberattack

Published

The UVM Health Network has made good progress recovering from a cyberattack nearly two months ago, with some work remaining to complete. Today, we shared more information about the attack and our response, and confirmed that it was ransomware. Our IT staff did find a note, which did not request money, but included instructions to contact the criminals responsible for the attack. UVM Health Network leaders did not follow those instructions and instead contacted the FBI.

Based upon a thorough assessment by IT security experts, we have concluded that no Personally Identifiable Information (PII), Protected Health Information (PHI), or employee information was accessed or taken. Upon becoming aware of the attack, our Information Technology team brought down the Epic electronic health record system, which includes the MyChart patient portal, and also took down employee email and Internet connections, to protect patient and employee data. As a result of this action, the malware did not reach Epic. Through good planning, the UVM Health Network had backup copies of most of the information needed to restore systems.

However, since the ransomware destroyed the computer infrastructure on which the encrypted data resided, it took a significant amount of time for us to rebuild those systems. This sort of destruction is not usually a component of a ransomware attack, but it was a key aspect of the one that hit the UVM Health Network on October 28. IT staff had to rebuild the entire infrastructure before re-populating it with backed up files and data, in addition to scanning and cleaning 5,000 computers and endpoints that had been infected.

Despite the significant progress made by our IT team to restore systems, we know this attack has had an impact on many of our patients and staff. Over the past several weeks we have made every attempt to reschedule appointments and resume care where there were interruptions. We apologize for any disruptions or inconvenience to our patients, for whom we aim to provide the highest quality care, and we thank our incredible staff for working diligently through this challenging time. If a patient is waiting to hear from us and has not been contacted, they should call their provider or reach out to our Office of Patient and Family Advocacy at 802-847-3500.