CommonSpirit Health ransomware attack: Questions and answers

The health system continues to deal with a cyberattack that has affected some systems and led to some patient appointments being canceled or rescheduled.

CommonSpirit Health continues to deal with a ransomware attack that has affected its systems.

A nonprofit, Catholic health system based in Chicago, CommonSpirit operates 140 hospitals and more than 1,500 care sites in 21 states. CommonSpirit offered an update this week on the incident and how the system is responding.

Here are some key questions on the ransomware attack.

Q: When did CommonSpirit Health report the incident?

A: CommonSpirit first reported what it described as an IT security issue on Oct. 5. CommonSpirit issued an update on Oct. 12 confirming that it is dealing with a ransomware attack.

Q: Are hospitals and clinics open?A: Yes. CommonSpirit says its facilities are serving patients, even as the system works to restore systems.

Q: Are patients being affected?

A: In an Oct. 17 update, CommonSpirit said, “There is no impact to clinic, patient care and associated systems at Dignity Health, Virginia Mason Medical Center, TriHealth or Centura Health facilities.” CommonSpirit said other parts of the system “have seen impacts on operations” and the organization is working to restore the systems.

CHI Health, which is part of CommonSpirit, said it has had to reschedule some patient appointments and some symptoms are temporarily offline. CHI Health also said it is postponing some procedures on a case-by-case basis.

Virginia Mason Franciscan Health has also said some patient appointments were rescheduled or canceled.

CommonSpirit says it is working “to facilitate clinician and patient communication, document patient care, and support our caregivers in following safety processes and standards.”

Q: What is happening with patient portals?

A: Due to the cyberattack, CommonSpirit has had to take some systems offline, including patient portals. “We apologize for this inconvenience and are working diligently every day to bring systems online and restore full functionality as quickly and safely as possible,” CommonSpirit said.

Q: Are electronic health records offline?

A: CommonSpirit says it has taken electronic health records offline, along with patient portals and other systems, to deal with the breach and maintain care.

Virginia Mason Franciscan Health said in an Oct. 17 update that providers are now able to access electronic health records. Virginia Mason also said it expects to restore patient access to MyChart in the coming days, as it makes progress in restoring some systems. CHI Health also said it expects to allow patients to use MyChart in the coming days.

Q: What is CommonSpirit doing to restore systems?

A: CommonSpirit crews are working to get affected systems back online. The organization has also consulted leading cybersecurity experts.

Q: Has patient information been accessed?

A: The health system said it is conducting an investigation to determine if there are any data impacts.

Health systems are required under federal law to report any breach of private health information involving 500 people or more to the U.S. Department of Health and Human Services.

Q: When will all systems be restored and the problems resolved?A: CommonSpirit has yet to provide an estimate. The system said it is working to resolve the issues and resume full operations as quickly, and safely, as possible.

Q: Has CommonSpirit notified authorities?A: Yes, the system said it has contacted law enforcement, but CommonSpirit hasn’t specified which agencies are involved and investigating.

Q: How common are cyberattacks at hospitals and health systems?

A: Hospitals across the country have been hit by cyberattacks. Two out of three healthcare IT professionals (67%) said their organizations had a significant cybersecurity incident in the past 12 months, according to the HIMSS 2021 cybersecurity survey. Cybersecurity experts tell hospital leaders it’s not a question of if they will be hit with an attack, but a question of when.

Millions of Americans have had their records breached across America. In the first half of the year, health department data indicates there were 337 breaches involving a minimum of 500 patient records, but some of those attacks have affected hundreds of thousands of people.

Many hospitals have also had to deal with ransomware attacks, because they know many health systems will pay. Smaller hospitals and systems are also frequent targets, because they have fewer resources to repel cyberattacks.

Q: Is the MercyOne health system affected?

A: MercyOne, based in Iowa, said it has been impacted by the CommonSpirit ransomware attack. Trinity Health recently completed its acquisition of MercyOne in September, but MercyOne continues to use CommonSpirit’s systems. Trinity and CommonSpirit had jointly operated MercyOne.

MercyOne Central Iowa said in a statement its information systems were impacted Oct. 3 as part of CommonSpirit’s IT issue. MercyOne Central Iowa said all facilities are open, although there is “some disruption to normal operations.” Patients can’t schedule appointments online.