At lunchtime on Oct. 28, Colleen Cargill was in the cancer center at the University of Vermont Medical Center, preparing patients for their chemotherapy infusions. A new patient will sometimes be teary and frightened, but the nurses try to make it welcoming, offering trail mix and a warm blanket, a seat with a view of a garden.
Then they work with extreme precision: checking platelet and white blood cell counts, measuring each dosage to a milligram per square foot of body area, before settling the person into a port and hooking them up to an IV.
That day, though, Cargill did a double take. When she tried to log in to her workstation, it booted her out. Then it happened again. She turned to the system of pneumatic tubes used to transport lab work. What she saw there was a red caution symbol, a circle with a cross. She walked to the backup computer. It was down, too.
"I wasn't panicky," she said, "and then I noticed my cordless phone didn't work."
That was, she said, the beginning of the worst 10 days of her career.
Cyberattacks on America's health systems have become their own kind of pandemic over the past year as Russian cybercriminals have shut down clinical trials and treatment studies for the coronavirus vaccine and cut off hospitals' access to patient records, demanding multimillion-dollar ransoms for their return.
Complicating the response, President Donald Trump last week fired Christopher Krebs, director of the Cybersecurity and Infrastructure Security Agency, which is responsible for defending critical systems, including hospitals and elections, against cyberattacks, after Krebs disputed Trump's claims of voter fraud.
The attacks have largely unfolded in private as hospitals scramble to restore their systems -- or to quietly pay the ransom -- without releasing information that could compromise an FBI investigation.
But they have had a devastating and long-lasting effect, particularly on cancer patients, said workers and patients from Vermont's largest medical system. Its electronic medical record system was restored Sunday, nearly a month after the cyberattack.
In the interim, clinicians were forced to send away hundreds of cancer patients, said Olivia Thompson, a nurse at the cancer center.
The staff fell back on written notes and faxes, leafing through masses of paper to access vital information. They tried to reconstruct complex chemotherapy protocols from memory.
And while the hospital has taken pains to reassure patients that most care could proceed, some staff members worry that the full damage of the October attack is not well understood.
"To recover from something like this is going to take months and months and months," Thompson said. "It feels like we are all alone, and no one understands how dire this is."
Elise Legere, a nurse at the cancer center, said she could compare the past weeks to only one experience -- working in a burn unit after the Boston Marathon bombing -- and has often found herself wondering about the motivation behind the cyberattack.
"It's like asking, what's the point of putting a bomb in an elementary school? What is the point?" she said. "There is a lot of evil in the world. Whoever did orchestrate this attack knows a lot about how devastating it is."
$61 MILLION IN RANSOM
The latest wave of attacks, which hit about a dozen U.S. hospitals, was believed to have been conducted by a particularly powerful group of Russian-speaking hackers that deployed ransomware via TrickBot, a vast network of infected computers used for cyberattacks, according to security researchers who are tracking the attacks.
The hackers typically work for profit. The FBI estimated that the cybercriminals, who use ransomware called "Ryuk," took in more than $61 million in ransom over 21 months in 2018 and 2019, a record.
The attacks slowed last spring, when cybercriminals agreed among themselves to avoid hacking hospitals amid the pandemic, security researchers said. But just before the presidential election, the groups resumed.
"In the past, they targeted organizations all over the world, but this time they were very specifically aiming for hospitals in the United States," said Alex Holden, chief executive of Hold Security, a Milwaukee firm.
The FBI said it will not comment on the attacks, citing ongoing investigations.
Holden and other cybersecurity experts said the targets and the timing -- just weeks after the United States targeted TrickBot -- suggest that one possible motivation could be retaliation.
In late September and October, fearing that cybercriminals could use ransomware to disrupt the election, the Pentagon's Cyber Command started hacking TrickBot's systems. Microsoft pursued the systems in federal court, dismantling 94% of TrickBot's servers.
The takedowns relegated TrickBot's operators to "a wounded animal lashing out," Holden said. His firm captured online messages sent among the group, including a list of 400 U.S. hospitals they planned to target, and informed law enforcement.
U.S. officials warned hospitals about a "credible threat" of attacks Oct. 23, and then an unusual cluster of attacks on hospitals took place. Several hospitals -- including Vermont Medical Center and the St. Lawrence County health system in New York -- have said they received no ransom note.
Others reported ransom demands "in eight figures, which is just not something that regional health care systems can do," said Allan Liska, an analyst with Recorded Future, a cybersecurity firm. These unusual demands, combined with the coordination of the attacks, make "it seem that it was meant to be a disruptive attack" rather than a profit-seeking one, he said.
Holden said many of the health systems opted to negotiate with their extortionists, even as ransoms jump into the millions.
"A great number of victims are dealing with these attacks on their own," he said.