Rural Healthcare Provider Closing Due in Part to Attack WoesSt. Margaret's Health Is Permanently Shutting Hospitals and Clinics
A rural Illinois medical system will shut down on Friday partly due to fallout from a 2021 ransomware incident as a wave of extortionate malware exacts rising costs from the healthcare industry.
The system, consisting of two Catholic hospitals and several clinics, also cited personnel shortages and the novel coronavirus pandemic as reasons for the closure.
The closing of 44-bed St. Margaret's Health hospital in Spring Valley, Illinois, follows on the heels of the "temporary" suspension announced in January by nearby sister hospital, St. Margaret's Health in Peru, Illinois, which has 49 beds.
The closures - first reported by NBC on Monday - were foreshadowed on May 11 in a Facebook video posted by Sister Suzanne Stahl, the chair of parent organization SMP Health. A series of setbacks, including the ransomware attack, "made it impossible to sustain our ministry," she said.
Rural hospitals are increasingly the target of ransomware, especially given their lack of resources to pay for dedicated cybersecurity staff, reliance on outdated IT systems and, in many cases, a legacy of mismanagement and high turnover in ownership.
Sometimes, smaller rural hospitals fall victim not because they're specifically targeted but rather because they're simply more vulnerable than larger, better resourced entities. "Some of the sophisticated attackers are a little more strategic in their targeting but most throw spaghetti at a wall and hope it sticks," said Denise Anderson, president of the Health Information Sharing and Analysis Center.
The average cost of a healthcare data breach is $10.1 million, according to 2022 research from IBM and the Ponemon Institute.
"These problems have no end in sight, and if a healthcare provider is already running on thin margins, a cyberattack that disrupts operations can be existential," said Mike Hamilton, co-founder of security firm Critical Insight.
Members of St. Margaret's leadership team did not immediately respond to Information Security Media Group's requests for comment about the closing.
St. Margaret's parent organization, SMP Health, based in North Dakota, declined comment. Stahl in her Facebook post said another Catholic health care organization, OSF, had agreed to acquire the Peru hospital and resume operations at an unspecified date.
Spring Valley, Illinois Mayor Melanie Malooley-Thompson said in a Facebook post on Sunday that the closing of St. Margaret's Spring Valley hospital, which had been operations for 120 years, was a significant blow to the community.
"The hospital closure will have a profound impact on the well-being of our community. This will be a challenging transition for many residents," she wrote.
The closures of the St. Margaret's hospitals are not the first time a healthcare facility forever shut its doors due in part to business difficulties caused or exacerbated by a cyberattack.
That includes Wood Ranch Medical, a small clinic in Simi Valley, California, that in 2019 announced it would close because it could not recover access to any of its records as a result of a ransomware attack (see: Latest US Healthcare Ransomware Attacks Have Harsh Impact).