UnitedHealth’s Crystal Run impacted by ongoing cyber incident
UnitedHealth’s Crystal Run impacted by ongoing cyber incident
Updated on: 08 November 2023
Stefanie Schappert
Stefanie Schappert
Senior journalist
Crystal Run Healthcare
Image by Crystal Run Healthcare
Crystal Run Healthcare, a New York-based multi-specialty medical group, continues to grapple with a “system interruption” that has impacted its network systems since last week.
The healthcare group of 400 providers at roughly 30 locations across the Hudson Valley and Catskill region announced the cyber incident Friday afternoon.
The Crystal Run website has posted a System Interruption Alert on its home webpage stating that it is “currently experiencing system issues impacting some of our services.”
“We are working diligently to resolve these issues and appreciate your patience,” the November 3rd alert reads, urging patients with any “emergency situation to call 9/11.”
Crystal Run cyber event
Image by Crystal Run Healthcare
The company, which was bought out by health technology firm Optum in February, has stopped short of identifying the outage as a cyberattack.
It appears the company is still investigating and unable to provide further details about when the cyber event was first recorded and/or what systems may have been affected.
Optum spokesperson Amy Charley confirmed that "patient services have not been impacted" and that "continuity of care remains our core focus."
Crystal Run serves 400,000 patients spanning a multitude of medical and surgical specialties, from primary care to oncology, the company states.
Furthermore, the medical group self-reports to have somewhere between 1000 and 5000 employees – both caches creating a potential boon for cybercriminals looking to steal sensitive data from the company’s systems.
“We are committed to protecting our patients’ information and maintaining the integrity of our information systems,” Charley said in a statement sent to Cybernews.
“We’re actively monitoring our systems to react and respond quickly to any situation,” she added .
Ironically, Crystal Run was one of the first medical practices in the US to implement electronic health records (EHR) to optimize patient information sharing among its medical staff and facilities.
Founded in 1996, Crystal Run said it has been recognized in the large practice category for “exemplary use of electronic medical records systems and sophisticated practice management.”
There is no word on when systems would be fully restored and what caused the outage at this time.
The company also apologized to its patients for longer than usual wait times.
Crystal Run and Optum are both subsidiaries of UnitedHealth Group.
In May, UnitedHealth Group – also the parent company of United Healthcare, the fifth largest health insurance company in the US – became the biggest and most profitable healthcare conglomerate in America, according to industry reports.
HIPAA statistic health breaches 2022-2023
Health records exposed in breaches over the past 12 months. Image by The HIPAA Journal.
Health industry attacks continue to rise
The July 2023 Healthcare Data Breach Report by The HIPAA Journal showed there were more than 81.76 million health records breached across 683 incidents since July 2022.
Nearly half of those breaches were reported to the US Department of Health and Human Services’ in the first half of 2023, up more than 106% over the first six months of 2022.
The number of compromised records is also up 60% for the same time period, according to Fortified Health Security’s 2023 Mid-Year Horizon Report: The State of Cybersecurity in Healthcare.
In 2023, the average number of comprised records for a breach increased from 2 million to 3 million records since last year.
The biggest attack took place this past July, with a breach of American medical network HCA Healthcare, exposing more than 11 million patient records.
In August, the California-based Prospect Medical Holdings (PMH) was breached by Rhysida ransom group who gained access to network systems compromising nearly 200,000 people.
The most common threats to the healthcare industry include phishing, ransomware, and data breaches.
Updated on: 08 November 2023
Stefanie Schappert
Stefanie Schappert
Senior journalist
Crystal Run Healthcare
Image by Crystal Run Healthcare
Crystal Run Healthcare, a New York-based multi-specialty medical group, continues to grapple with a “system interruption” that has impacted its network systems since last week.
The healthcare group of 400 providers at roughly 30 locations across the Hudson Valley and Catskill region announced the cyber incident Friday afternoon.
The Crystal Run website has posted a System Interruption Alert on its home webpage stating that it is “currently experiencing system issues impacting some of our services.”
“We are working diligently to resolve these issues and appreciate your patience,” the November 3rd alert reads, urging patients with any “emergency situation to call 9/11.”
Crystal Run cyber event
Image by Crystal Run Healthcare
The company, which was bought out by health technology firm Optum in February, has stopped short of identifying the outage as a cyberattack.
It appears the company is still investigating and unable to provide further details about when the cyber event was first recorded and/or what systems may have been affected.
Optum spokesperson Amy Charley confirmed that "patient services have not been impacted" and that "continuity of care remains our core focus."
Crystal Run serves 400,000 patients spanning a multitude of medical and surgical specialties, from primary care to oncology, the company states.
Furthermore, the medical group self-reports to have somewhere between 1000 and 5000 employees – both caches creating a potential boon for cybercriminals looking to steal sensitive data from the company’s systems.
“We are committed to protecting our patients’ information and maintaining the integrity of our information systems,” Charley said in a statement sent to Cybernews.
“We’re actively monitoring our systems to react and respond quickly to any situation,” she added .
Ironically, Crystal Run was one of the first medical practices in the US to implement electronic health records (EHR) to optimize patient information sharing among its medical staff and facilities.
Founded in 1996, Crystal Run said it has been recognized in the large practice category for “exemplary use of electronic medical records systems and sophisticated practice management.”
There is no word on when systems would be fully restored and what caused the outage at this time.
The company also apologized to its patients for longer than usual wait times.
Crystal Run and Optum are both subsidiaries of UnitedHealth Group.
In May, UnitedHealth Group – also the parent company of United Healthcare, the fifth largest health insurance company in the US – became the biggest and most profitable healthcare conglomerate in America, according to industry reports.
HIPAA statistic health breaches 2022-2023
Health records exposed in breaches over the past 12 months. Image by The HIPAA Journal.
Health industry attacks continue to rise
The July 2023 Healthcare Data Breach Report by The HIPAA Journal showed there were more than 81.76 million health records breached across 683 incidents since July 2022.
Nearly half of those breaches were reported to the US Department of Health and Human Services’ in the first half of 2023, up more than 106% over the first six months of 2022.
The number of compromised records is also up 60% for the same time period, according to Fortified Health Security’s 2023 Mid-Year Horizon Report: The State of Cybersecurity in Healthcare.
In 2023, the average number of comprised records for a breach increased from 2 million to 3 million records since last year.
The biggest attack took place this past July, with a breach of American medical network HCA Healthcare, exposing more than 11 million patient records.
In August, the California-based Prospect Medical Holdings (PMH) was breached by Rhysida ransom group who gained access to network systems compromising nearly 200,000 people.
The most common threats to the healthcare industry include phishing, ransomware, and data breaches.