CommonSpirit Health revealed that cybersecurity breach was much larger than initially thought, reaching 100 facilities in 13 states

Updated April 10 at 1:30 p.m.

More than half a year after CommonSpirit Health revealed that it has been the target of a ransomware attack from September 16 to October 3, 2022, the health system informed the public that the attack was larger than initially announced. 

Over 100 current and former CommonSpirit facilities located in 13 states may have been touched by the attack, the Catholic system said last week. The statement is a notable expansion from the facilities located in Washington state, Tennessee and Nebraska that were initially believed to be victims of the attack.

An update on the company's website revealed that the unauthorized user did not gain entry into the system's electronic medical record system but did acquire copies of data including personal patient information. 

After the completion of the initial phase of an internal investigation which was completed at the end of February, the company found that demographic, medical, billing and insurance information for some individuals was accessed. Demographic data included name, address and date of birth.

As of last week, the country's second-largest non-profit health system began notifying the individuals whose information it believes to have been compromised. 

In February, CommonSpirit shared that the breach was estimated to cost the health system $150 million due to business interruptions, insurance recoveries and other related expenses. 

Potentially affected facilities reach across the country with 21 organizations in Texas, 14 in Nebraska, 14 in North Dakota, 13 in Kentucky, 10 in Washington state, six in Arkansas, six in Minnesota, five in Tennessee, five in Ohio, four in Oregon, three in Georgia, three in Iowa and one in Pennsylvania.

CHI Health and Home organizations that were touched include 45 home infusion providers and hospice and palliative care companies encompassing eight associated and former CommonSpirit facilities in Colorado, Kansas, Kentucky, Iowa, New Jersey and Pennsylvania.

According to the system, there has been no evidence to date that the data has been misused. 

Updated Jan. 1 at 1:30 p.m.

CommonSpirit Health was hit with a class-action suit alleging negligence played a role in the lengthy ransomware attack that compromised more than 600,000 patients' protected health information. 

The suit was filed on December 29 in the U.S. District Court for the Northern District of Illinois by Leeroy Perkins, a CommonSpirit network hospital patient for nearly two decades who lives in Washington state.

In it, Perkins wrote that the Catholic health giant "owed a duty" to its patients to "exercise reasonable care" with sensitive data in its possession. The health system failed to employ those reasonable measures by not complying with industry standards, he wrote. 

"As a direct and proximate result of Defendant's failure to implement and follow basic security procedures, Plaintiff's and Class Members' [personally identifying information] and [protected health information] is now in the hands of cybercriminals," he wrote in the suit. 

Perkins wrote that he "has been required to spend his valuable time" monitoring accounts and changing passwords, and will continue to be at increased risk of fraud and identity theft "for years to come." He and other class members will also see costs tied to credit monitoring, identity theft protection services and lowered credit scores, he wrote. 

Perkins is seeking relief for himself and others for damages exceeding $5 million and injunctive relief, which would include CommonSpirit adopting stronger data protection practices to prevent further data breach incidents, according to the suit. 

Fierce Healthcare has reached out to CommonSpirit for comment on the suit.

Updated Dec. 12 at 12:30 p.m.

CommonSpirit Health, the country’s second-largest nonprofit health system, was hit with a ransomware attack first announced in October. The health system said an investigation determined that an unauthorized third party gained access to certain portions of CommonSpirit’s network between September 16 and October 3.

The health system reported the breach on December 1 to the U.S. Department of Health and Human Services' Office for Civil Rights. According to OCR's online breach portal, the cyber attack compromised the protected health information of more than 623,7000 people.

The breach is now under investigation by HHS Office for Civil Rights.

CommonSpirit characterized the cyber attack as a "hacking/IT incident" related to a business associate.

Updated Dec. 5 at 1:25 p.m.

CommonSpirit Health has discovered that patients’ personal information was leaked during a cybersecurity breach this fall, according to a Dec. 1 update on the health system’s website.

The Catholic health system stated that its review of the files was ongoing, but it could confirm that some personal information of individuals or affiliates of individuals who may have received services at the Franciscan Medical Group or Franciscan Health in Washington state was compromised.

Franciscan Health encompasses St. Anne Hospital, St. Elizabeth Hospital, St. Anthony Hospital, St. Clare Hospital, St. Francis Hospital, St. Joseph Hospital and St. Michael Medical Center.

To date, there is no evidence that the information has been misused as a result of the incident, according to CommonSpirit. The update posted on the system’s website stated that on Dec. 1, company officials began contacting individuals whose personal information was held in the files in question.

Files in question included the name, address, phone number and date of birth of patients, family members of patients or caregivers of patients. Medical record numbers or insurance IDs were not compromised in the breach, according to a notice on the company’s website.

An ongoing investigation has determined that an unauthorized third party gained access to the 138-hospital system sometime between Sept. 16 and Oct. 3.

The cyberattack on the country’s second-largest nonprofit health system took out some of CommonSpirit’s technical systems for weeks. As of Nov. 9, not all electronic health record systems were back online and neither were all patient portals, according to an online update.

Nov. 15, CommonSpirit published a financial filing revealing that while the system scored a $23 million operating gain for the opening quarter of its fiscal year, it also logged a $379 million net loss.

Inflation, the COVID-19 pandemic and labor shortages were blamed for the disappointing performance.

Updated Oct. 13 at 10:00 a.m.

CommonSpirit Health is now characterizing the interruption of IT services across several of its hospitals as a ransomware attack.

In the week since it disclosed an "IT security incident" that forced EHR shutdowns and appointment cancellations, the Catholic health giant said Wednesday that it has notified law enforced and tapped "leading cybersecurity specialists" to support its a forensics investigation. 

"Upon discovering the ransomware attack, CommonSpirit took immediate steps to protect our systems, contain the incident, begin an investigation and ensure continuity of care," the system said in an emailed statement. "Patients continue to receive the highest quality of care, and we are providing relevant updates on the ongoing situation to our patients, employees and caregivers. Patient care remains our utmost priority and we apologize for any inconvenience this matter has created."

CommonSpirit said its facilities are following pre-established system outage protocols that include taking certain systems, such as its EHRs, offline. 

The Chicago-based system operates 142 hospitals and over 2,200 sites of care within 21 states. It has seen system interruptions across several states including Nebraska, Tennessee, Texas, Washington and Iowa as a result of the attack.

Updated Oct. 7 at 1:12 p.m.

Following the confirmation from CommonSpirit Health that a cybersecurity incident has disrupted medical systems in numerous but unidentified locations, reports from patients and health providers has revealed the ongoing effect of the attack that reportedly began Monday.

CommonSpirit confirmed in a statement to Fierce Healthcare that IT outages are taking place as a precautionary measure and that some patient’s may be notified regarding changes to appointments.

Subsidiaries of CommonSpirit have reported being affected by the attack including CHI Health facilities in Nebraska and Tennessee, Seattle-based Virginia Mason Franciscan Health providers, MercyOne Des Moines Medical Center, Houston-based St. Luke's Health and Mich.-based Trinity Health System.

The first reports of outages came on Tuesday from CHI Health and Virginia Mason Franciscan Health. CHI health reportedly later delayed surgeries.

"We drive to Bergan Mercy, go in the procedure center, walk up to the front counter, and I'm like 'I'm here to check-in,' and there was some stammering and stuttering and they're like, 'Well all the procedures have been canceled today,'" a CHI Health patient who reported that upon arriving at a CHI facility on Oct. 3 learned that their colonoscopy was canceled told NBC. 

Seattle-based Virginia Mason Franciscan Health providers St. Michael Medical Center and St. Anthony Hospital also reported being affected.

A caregiver reported to the KitSap Sun that staff at St. Anthony Hospital were unaware of her sister’s appointment and could not “put anything in the computer.” She reported observing staff using a makeshift paper system of record keeping and phones to communicate with providers and payers.

MercyOne Des Moines Medical Center also had to shut down its EHR system and other IT systems. Ambulances were reportedly rerouted to other medical facilities for a brief time on Oct. 3.

A nurse at the Houston-based St. Luke's Health told a local news outlet that some facilities are fully paper charting, with some patients' lab work not being processed, and appointments being canceled.

Livonia, Mich.-based Trinity Health System has also taken IT systems offline, including its EHR system. A spokesperson from Trinity told NBC.

CommonSpirit Health is managing an IT security incident affecting some of its facilities in multiple regions, the company said in a statement to Fierce Healthcare.

The number of facilities affected is still undisclosed as is the security of patient data following the incident which reportedly began Monday.

“As a result of this incident, we have rescheduled some patient appointments in some of our communities,” CommonSpirit’s statement said. “Patients will be contacted directly by their provider and/or care facility if their appointment is impacted.”

The Chicago-based health system is one of the largest in the country, operating 142 hospitals and over 2,200 sites of care within 21 states.

“As a precautionary step we have taken certain IT systems offline, which in some of our divisions includes electronic health record systems and other systems,” the statement said. “Our facilities are following existing protocols for system outages and taking steps to minimize the disruption.”

CommonSpirit’s Nebraska-based subsidiary CHI Health has reported outages in all of its Omaha hospitals—Lakeside Hospital, Creighton University Medical Center, Bergan Mercy and Immanuel Medical Center.

Two CHI Health hospitals in Chattanooga, Tennessee, moved some systems offline including electronic health records, according to a statement from CHI Memorial.

The Seattle-based Virginia Mason Franciscan Health has also reported being impacted by the outage. VMFH operates hospitals and clinics in the Puget Sound region, including St. Joseph Medical Center in Tacoma. Patients were reportedly unable to access the online patient portal, MyChart.

“We take our responsibility to ensure the privacy of our patients and IT security very seriously,” the statement said.  

CommonSpirit is one of many notable nonprofit health systems reporting significant losses for the most recent fiscal year. The health system, which was formed in a 2019 merger of Catholic Health Initiatives and Dignity Health, reported $1.85 billion in losses in 2022.

The Catholic organization recently appointed Wright Lassiter, formerly of Henry Ford Health, as its new CEO and successor to Lloyd Dean.