YNHHS pauses radiotherapy treatment for six days after software breach
A nationwide cybersecurity threat to Elekta, a vendor that delivers radiotherapy services at the Yale New Haven Health System, resulted in the interruption of treatment for approximately 200 cancer patients for six days.
Marisa Peryer, Senior Photographer
Yale New Haven Health officials reported on Friday that YNHHS was one among several health care systems in the United States affected by a cybersecurity breach in the software system of one of its vendors, Elekta — a Swedish company that provides radiotherapy and radiosurgery services to hospitals worldwide. Treatment sessions had to be paused last week but were resumed as of Monday.
Because Elekta uses a cloud-based storage system to program and deliver personalized treatment, the company had to shut down the software on April 20 following the breach to prevent other systems in any of the hospitals it serves from suffering subsequent invasions, YNHHS CEO Marna Borgstrom said in a Friday press conference. At YNHHS, this shutdown resulted in a six-day pause in the radiation treatment of about 200 patients. Doctors moved patients that could not miss any sessions to other locations outside YNHHS, and officials say there is no evidence that patient data was leaked through the breach.
“We have had opportunities to move some very time-sensitive cases to other locations and get [their treatment] done, and there are certain radiation therapy treatments that are not being impacted,” Borgstrom said. “Every patient has been called personally, and we have also sent out individual letters.”
The pause rendered the health system temporarily unable to operate any of its Elekta machines, which rely on the company’s software to deliver radiotherapy sessions for approximately 200 patients who are undergoing active cancer treatment at YNHHS. But Dana Marnane, director of public relations and communications at Yale New Haven Health, confirmed to the News that treatment sessions resumed on Monday.
Radiotherapy is a type of cancer treatment that is based on radiation’s ability to destroy cells, and tumor cells are particularly susceptible to these destructive powers. This kind of therapy typically involves targeting radiation beams to precise locations in the body where a tumor is situated — to shrink it before it can be removed surgically or to get rid of remaining cancer cells following surgery.
Radiotherapy is a personalized treatment, as the dose of radiation, the position in which someone has to lay to receive it and the duration and frequency of treatment are all particular to each patient. To optimize clinical workflow and facilitate this highly individualized treatment, Elekta’s care management software, MOSAIQ, allows for patient data, treatment regimens and any other necessary medical information to be stored in the same place, according to Elekta’s website.
Elekta’s interface, though especially useful for patients who are undergoing multiple kinds of treatment at once, aggregates a large amount of patient information. But according to YNHHS Chief Medical Officer Thomas Balcezak, however, the system saw no indication that patient information had been leaked in this breach.
In a 2016 study published in the International Journal of Radiation Oncology, physicians at the Albert Einstein College of Medicine reported that missing two or more radiotherapy appointments could extend a patient’s radiotherapy treatment course by an average of 7.2 days. According to the National Health Service, although the baseline prescription is for patients receiving radiotherapy to stick to a five-day-per-week schedule, some cases require more than one session a day.
Depending on the length of someone’s course of radiation therapy regimen, missing one or two sessions may not have significant clinical impacts, Beryl McCormick, acting chairwoman in the Department of Radiation Oncology at Memorial Sloan-Kettering Cancer Center, told ABC News.
Vin Petrini — YNHHS senior vice president and chief policy and communications officer — said in the Friday YNHHS press conference that the system shares their patients’ concerns and was closely scrutinizing the situation. Balcezak added that though their radiation oncologists and information technology teams were assessing the implications of the pause, it is too soon to tell whether they will be reconsidering their use of Elekta’s services.
Elekta is also working to help any affected patients.
“An investigation is being conducted, and any affected customer(s) will be contacted and fully briefed through the appropriate channels and in accordance with any legal requirements,” an Elekta spokesperson told WTNH.
Elekta also shared a statement on its website, saying that the company is currently partnering with cyber experts and law enforcement to investigate what caused the cyberattack, how to mitigate the issue and prevent any future breaches.
Outside of YNHHS, 170 other hospitals and health care systems across the country were forced to shut down nationally after Elekta cut off access to prevent the malware from spreading.
Elekta has over 4,000 employees.