Universal Health Services Ransomware Crisis — Communications for an Industry Threat

As more healthcare providers see ransomware attacks crisis preparedness is put to the test

Universal Health Services (UHS) is one of the United States’ largest health care providers, with 26 acute care hospitals, 328 behavioral health facilities, and 42 outpatient facilities.  so when media reports of a ransomware attack impacting its facilities began to appear, saying impacted audiences were concerned would be an understatement.

One of the first questions we often get in situations like this is, “Do we even have to say anything?”. And, without much ado, the answer is, “Yes”. Aside from any legal and ethical obligations, it’s the crisis management move that eliminates the most potential for damage. The story’s already in the news, and you have a widespread organization with thousands of employees, all of whom are allegedly impacted. The audiences that matter to you are going to hear the bad news anyways, and it’s better they hear it from you, in full, without any rumor, misinformation, or games of telephone muddying the waters. By moving quickly to become the source of information for key stakeholders, you prevent a long list of troubles that develop when people get their news from outside sources.

UHS got a statement out, they got it out fast, and they made it easy to find. Big plus. They also clearly point out who to contact for more information, something many miss when they’re rushing to get a message together. The statement shares the facts as they were known at the time, and it addresses the number one concern of their most important audience (see if you can spot it). Before we go any further, let’s take a look:

Crisis communications statement from Universal Health Services PR department


If you noticed the firm landing on the message that patient care is being delivered safely and effectively then congratulations, you spotted the #1 key message. That’s the most important thing for UHS audiences to hear in just about any sticky scenario, and you better believe it’ll be all over their crisis management playbook. You may also notice there’s no mention of malware in this first message, and before you cry foul play remember – as a communicator you have a duty to share facts, not assumptions. When you’re already taking unavoidable damage there’s no reason to crack your own credibility by labeling specifics too soon and needing to walk it back. Let people know you’re on top of the issue and lay out your most critical key messages, then assess before communicating more.

Speaking of communicating more, UHS shared another update the next day after what was undoubtedly a rush to gather information from various experts and put together as full a picture as possible about the situation:

As you can see, the core of the message remains the same, and that’s a good thing. The goal of any crisis communication is to have important audiences walk away remembering your key messages. By repeating the most important items, in this case that safety is being maintained and the situation is being addressed, you increase the odds that will be accomplished. Providing a timeline is good when you can too, though in this case it appears they did have to settle for “as soon as possible”. Not ideal, but superior to telling people service will be restored at a specific time and missing a self-imposed deadline.

The one ingredient I would add here is a dash of empathy for how stakeholders are feeling. In crisis situations many prefer to stay strictly factual, but it’s been my experience that in most cases acknowledging up front you “get it”, that you know why a your audience is feeling the way they are about a situation, you help them become significantly more receptive to the messaging that follows after. Overall this was a strong response to a tough spot, and one that UHS is still navigating at the time of writing. You can certainly expect more crisis management work in this situation before it’s resolved.

With industry experts sounding the call regarding the threat ransomware and other malware poses to healthcare IT systems and, more importantly, to patients at facilities around the world, now is the time to prepare. Just as a holistic approach to health with a focus on prevention is most effective at keeping the human body in good shape, engaging in proactive crisis management measures that consider both operational and communications concerns will help keep your organization running strong, even through the inevitable times of trouble.

Erik Bernstein