Inform, Entertain, Inspire
Play Live Radio
Next Up:
0:00 0:00
Available On Air Stations

"It's causing chaos." What Ascension cyberattack means for Michigan hospitals

Doctors at Ascension St. John in Detroit said they were diverting major heart attack patients to other hospitals on Thursday.
Kate Wells
Doctors at Ascension St. John in Detroit said they were diverting major heart attack patients to other hospitals on Thursday.

Update: Friday, May 10, 2024, 5:45 p.m. 

Three days after a cyberattack disrupted access to basic medical technology across Ascension’s 140 hospitals nationwide, some Michigan doctors and nurses say they’re still unable to provide rapid care to patients experiencing medical emergencies or needing test results urgently.

Ambulances are now largely avoiding Ascension ERs in the Metro Detroit area, unless the patient “doesn’t really need to be in an ambulance,” a MedStar ambulance staff member said Friday afternoon. (Michigan Public isn’t naming Ascension or other medical staff who aren’t authorized to speak publicly about the impacts of Wednesday’s cyberattack.)

One ER doctor at Ascension St. John in Detroit said Friday a patient came in with a urinary tract infection, but it took 12 hours for her to get care because the hospital lost her urine sample four different times. That doctor said physicians there also had to wait an agonizing 90 minutes to get test results for an older woman in cardiac arrest — tests that normally take just 15 to 20 minutes.

“People are leaving and just going to urgent care [instead],” the ER doctor said.

And a family medicine nurse at Ascension said they were still unable to access crucial x-rays and test results for patients, including a woman experiencing shortness of breath — so they have no idea “if there was something going on in her lungs,” the family medicine nurse said. “Patients are getting harmed, no one can tell you otherwise.”

At Ascension Providence in Novi, a pharmacy staff member said the situation was “a total nightmare — we’re paralyzed.”

But several people coming in for outpatient appointments and procedures at Ascension Providence in Novi expressed appreciation for staff, saying they encountered only minimal delays, if any.

Other staff said they were managing to figure out “lots of old-style solutions that are working while electronics are slowly coming back.” And they were getting “all hands on deck (kind of like COVID times),” another Ascension doctor in Detroit said via text Friday afternoon.

“Things are adjusting,” a doctor at Ascension St. John Hospital Health Center at Kercheval in Grosse Pointe said via text. “But it is like washing dishes with boxing gloves.”

Staff at Ascension St. John in Detroit were instructed Friday to continue using Google sheets to track the number of patients receiving care at the hospital, and to anticipate “a prolonged period of downtime procedure before we return to normal,” according to an internal email. “Please innovate with sustainable workarounds.”

Update: Friday, May 10, 2024, 10:45 a.m.

Ascension still doesn’t have a timeline for when it will be able to restore its systems, according to a statement, but is warning patients and staff to expect “that we will be utilizing downtime procedures for some time.”

The wide scale cyberattack that began Wednesday morning has disrupted Ascension hospitals nationwide, and Ascension still doesn’t have access to vital technology including “our electronic health records system, MyChart (which enables patients to view their medical records and communicate with their providers), some phone systems, and various systems utilized to order certain tests, procedures and medications.”

Ascension didn’t provide specifics about how many elective procedures and appointments have been canceled for now, or how many emergency departments were diverting patients to other hospitals, or how many patients may have been transferred out of Ascension hospitals since Wednesday morning.

Instead, the statement says broadly that “some non-emergent elective procedures, tests and appointments have been temporarily paused while we work to bring systems back online,” and that “several hospitals are currently on diversion for emergency medical services in order to ensure emergency cases are triaged immediately.”

But Ascension staff who spoke to Michigan Public late Thursday, when Ascension released its most recent update, said there was still widespread confusion, uncertainty, and a lack of basic information being communicated to doctors and nurses, despite Ascension’s assertion that they had simply shifted into “established downtime protocols and procedures, in which our workforce is well trained.”

One ER doctor at Ascension St. John in Detroit said they were using sticky notes to transfer patients, and that a family member of a patient had eventually bought pizza for the whole department while the hospital’s food ordering systems were down. (Michigan Public is not naming Ascension staff who aren’t authorized to speak publicly about the cyberattack.)

“We’re used to having downtime [periods when IT systems aren’t available or aren’t working] for 12 hours,” that doctor said. But when the systems failed on Wednesday, it was initially “left to every doctor on the individual unit to say, ‘Oh crap, we need to get some paper up here.’ We literally had to do this on our own.”

“Thank god the electricity is on, otherwise we’d feel we’re in the apocalypse,” the ER doctor said Thursday afternoon, laughing wryly. “I think it will get easier. We’ve made templates, a pseudo board to keep track of the patients coming in and out to make it easier.”

An internal medicine doctor at an Ascension site in Grosse Pointe said they were still trying to figure out where certain patients were in the hospital on Thursday evening - whether they’d been discharged, or just moved to another department. But patients were being “really understanding, really patient” about the delays.

Ascension is also asking patients to “bring to their appointment notes on their symptoms and a list of current medications and prescription numbers or the prescription bottles so their care team can call in medication needs to pharmacies.”

Update: Thursday, May 9, 2024, 4:40 p.m.

Patients who can avoid going to Ascension emergency departments should do so for now, according to a doctor at Ascension St. John in Detroit - and those who must come to Ascension ERs should bring a written list of the medications, health history, and the names of doctors or specialists they see.

“If they can go to a different hospital’s system to get care, they should do that,” said the doctor, who was not authorized to speak publicly about the cyberattack. “It’s going to take us twice as long at the ER, we’re all doing it via paper, it is going to slow down everything that we are doing. If you’re already an inpatient, we’re getting things done. But if you have a choice to go elsewhere, our wait times are going to be longer.”

Without access to electronic medical records, another problem they’re encountering is that many patients just don’t know the names of medications they take, what their full health history is, or “who their doctor is, which surgeon they saw, and you just have no idea,” the doctor said. Many patients are asking the doctors “can’t you just pull it up on the [electronic] chart?”

Original post:

A massive cyberattack continued to cripple Ascension’s 140 hospitals across 19 states and Washington, D.C. for a second day on Thursday. Staff at different Michigan sites said serious heart attack patients are being transferred or diverted from at least two emergency departments, elective surgeries have been canceled today at Ascension Borgess Hospital, and staff at Ascension St. John in Detroit have been instructed to “use Google sheets” to track how many patients are in the hospital, with no clear end in sight.

“A cyberattack has left 140 facilities without access to all technology applications throughout the system on 5/8/2024 around 7 am,” according to an internal email sent to Ascension St. John staff on Thursday morning. “Ascension National consultants are working to remedy the situation as soon as possible, but anticipate there will be a prolonged period of time before we return to normal activity…Use your best clinical judgment to minimize diagnostic testing and expeditious discharge of patients to reduce demand on our system while we transition to full downtime procedures.”

Nearly all medical documentation is being handwritten on paper, from medication orders to notes about operations. “Something will be missed,” said a nurse at Ascension Borgess in Kalamazoo, who wasn’t authorized to speak publicly about the cyberattack.

“It’s caused the biggest chaos,” the nurse said. “It’s a big safety concern for all the RNs, to have the physicians write out the orders. At least half the staff and surgery residents have never written [paper] orders. I literally had to show a resident what an order form is. And they said, ‘What do I do with this?’”

All elective surgeries at Ascension Borgess have been canceled for the day, the nurse said, and those scheduled for Friday will likely be canceled as well.

“We should be putting through 30 to 40 cases [per day] and we have 7 [surgeries] on today, if that gives you any idea,” the Kalamazoo nurse said.

Some ERs sending major heart attack patients to other hospitals

Emergency room staff at Ascension St. John in Detroit said they were diverting the most severe heart attack patients to other hospitals, but were still accepting stroke and trauma patients. Internal emails at another health system in the metro-Detroit area indicate at least one heart attack patient had been transferred from Ascension Providence in Novi, and that there could be more.

Care for routine adult and pediatric ER patients continued, a doctor at Ascension St. John said Thursday. “We can kind of shift and take care of things in any kind of disaster, and we’ve had temporary kind of computer issues in the past and we just switched to paper,” said the physician, who wasn’t authorized to speak publicly.

Ambulances pulling up to the ER at Ascension St. John in Detroit in April.
Kate Wells
Ambulances pulling up to the ER at Ascension St. John in Detroit in April.

“We can’t even put in orders for food. It’s like a disaster area. There are carts with food and water [coming through] in the different floors. Everything is a phone call, paper, pencil. The more people and numbers that you know, the better.”

Meanwhile, it was “all hands on deck” for the pharmacy department, the Detroit doctor said. “Things are taking longer. There’s always concern about that. Have there been any major issues? None that I’m aware of. But things are happening slower. So that could be a problem if you needed a certain medication at the ready, that we don’t have at our department.”

Staff feel they’re being “kept in the dark” 

Ascension released a statement about the cyberattack on Thursday, but a spokesperson declined to answer additional questions:

“On Wednesday, May 8, we detected unusual activity on select technology network systems, which we now believe is due to a cyber security event. At this time we continue to investigate the situation. We responded immediately, initiated our investigation and activated our remediation efforts. Access to some systems have been interrupted as this process continues.

Our care teams are trained for these kinds of disruptions and have initiated procedures to ensure patient care delivery continues to be safe and as minimally impacted as possible. There has been a disruption to clinical operations, and we continue to assess the impact and duration of the disruption.

We have engaged Mandiant, a third party expert, to assist in the investigation and remediation process, and we have notified the appropriate authorities. Together, we are working to fully investigate what information, if any, may have been affected by the situation. Should we determine that any sensitive information was affected, we will notify and support those individuals in accordance with all relevant regulatory and legal guidelines.

We are reaching out to our business partners to ensure they are aware of the situation so they can take appropriate steps to safeguard their systems. We encourage all business partners to coordinate with the Ascension Technology partners to address any specific questions.”

Ascension has reported at least 4 cyber breaches that exposed "protected health information" in Michigan since 2019, according to federal data. The largest breach was reported in February 2022, with patient information for over 27,000 people across the state exposed in that incident.

Staff expressed frustration with communication from management, saying they were being given little information.

“They’re not telling us anything either,” a nurse said. “They’re being tight lipped. Management, honestly I haven’t even seen a manager today. Nobody is talking to us about what the plan is, or what things are going to look like. [Someone said] it could be days, could be weeks, could be months. That’s ridiculous… They think we should show up and shut up and do our job.”

An ER doctor at Ascension St. John said some updates were being given via phone call. “They say they’re working on it; just general sort of communication. We’re not very happy about it.

“But in the ED, we’re just trying to solve problems. So we will do our best to take care of [the patients’] emergencies, and get them where they need to be and the tests that they need. And I’m going to keep pushing with administration to get answers sooner.”

Michigan Public reporter Adam Yahya Rayes contributed reporting to this story. 

Kate Wells is a Peabody Award-winning journalist currently covering public health. She was a 2023 Pulitzer Prize finalist for her abortion coverage.