Please view the main text area of the page by skipping the main menu.

Small-town Japanese hospital struggling with 'disaster' after ransomware attack

Desks are seen lined up in front of the reception windows as staff process patients' cases by hand at the municipal Handa Hospital in the town of Tsurugi, Tokushima Prefecture, on Nov. 10, 2021. (Mainichi/Yoko Kunimoto)

TOKUSHIMA -- A municipal hospital in a small town in west Japan is struggling badly after its computer system was infected by ransomware in a late October cyberattack.

    Ransomware is illicit software that encrypts data and demands funds to make them accessible again. The virus infecting the systems at Tsurugi municipal Handa Hospital in Tokushima Prefecture has disrupted electronic records for some 85,000 patients, making it impossible for staff to calculate medical fees. As a result, it has stopped accepting new outpatients, and staff must make patient record entries by hand when handling diagnoses.

    There is as yet no estimate for when the hospital's systems will be restored, and individuals connected to the institution are saying the situation is "already a disaster."

    Tsurugi had a population of about 8,200 as of the end of September, and is located by the Yoshinogawa river nestled in the mountains in northwest Tokushima Prefecture. Handa Hospital is a general hospital with 120 beds, and is visited by around 250 to 300 patients every weekday. As a core medical institution, the hospital protects the lives of locals in an aging and depopulating area.

    The hospital realized something was amiss at about 12:30 a.m. on Oct. 31, when many of its printers began spewing out paper simultaneously. On them, a message in English told the hospital its data had been stolen and encrypted, and that if a ransom was not paid the data would be released. The printers continued putting out the message until the paper ran out.

    A shocked nurse on duty contacted a system administrator, and countermeasures began at about 3 a.m., including cutting off the hospital's internet connection. At around 9 a.m., the hospital reported the issue to Tokushima Prefectural Police, who are now investigating the case on suspicion of electronic or magnetic records containing unauthorized commands, which is applicable to computer virus crimes.

    The damage to the hospital has been enormous. Not just its main server but its backup server, too, has been infected with the virus. Staff cannot browse electronic patient records, and therefore can't obtain basic information such as patients' names, ages, treatment and what medicines they have been given. The hospital switched to electronic records about 10 years ago, and there are no hardcopies. The treatment cost calculation system, which is connected to the electronic patient records, is also inoperable.

    The hospital has been forced to find ways to deal with the situation. All patient records from check-in on are being written by hand. Hospitalized patients' conditions and other information is being input into old computers pulled from storage. With medical histories rendered inaccessible, staff must ask patients their names and to tell them about their conditions and treatments from the start, doubling workloads.

    Handa Hospital Director Masahiko Nakasono stands next to the now unusable computers at the municipal hospital in the town of Tsurugi, Tokushima Prefecture, on Nov. 10, 2021. On the walls behind him, handwritten contact details can be seen. (Mainichi/Yoko Kunimoto)

    "We can't see any records, including prescriptions, test results and diagnostic images," Doctor Yasushi Sudo, a urologist who also works as a hospital industry management official at the town government, told the Mainichi Shimbun. "It's like treating people at an evacuation center in a school gymnasium during a disaster."

    The hospital stopped accepting new outpatients immediately after the attack, and all treatment is by appointment only. Because it cannot calculate treatment costs, bills are to be issued later. In November, an on-call doctor scheduled to come in three times on holidays had their work taken on by a neighboring hospital instead. But because Handa Hospital is the only medical institution in western Tokushima Prefecture where people can give birth, it is continuing regular health checks for pregnant women and deliveries. It is also accepting dialysis appointments.

    Based on the content of the ransom note and other characteristics, the virus that infected Handa Hospital appears to be LockBit 2.0, ransomware known to be used in- and outside Japan. As of writing, no specific sum has been demanded from the hospital. The virus's infection path is also reportedly under investigation.

    For Handa Hospital, this disaster was totally unexpected. In case of an earthquake or water damage, the hospital's main server is on the first floor, and the backup is on the second. But both were on the same local area network. A manager at the hospital wore a troubled expression as he said, "We planned with a natural disaster in mind. Our computer virus countermeasures were insufficient."

    The hospital has engaged a specialist firm to restore its data, but there is no sense of when this will be completed. Hospital Director Masahiko Nakasono said, "We feel deeply sorry that this has caused problems for patients and the community. The staff are tired from this long struggle, too. Whether it's by an hour or even a moment sooner, I want the computer system restored quickly."

    (Japanese original by Yoko Kunimoto, Tokushima Bureau)

    Also in The Mainichi

    The Mainichi on social media