CommonSpirit Health says system hit by ransomware attack

The system says it is working with law enforcement and cybersecurity experts. Some hospitals have rescheduled patient appointments and some systems are offline.

CommonSpirit Health says an information technology issue that has affected some of its hospitals is the result of a ransomware attack.

“Over the course of this past week, we have been managing a response to a cyberattack that has impacted some of our facilities,” CommonSpirit Health said in an Oct. 12 news release.

The cyberattack has led some hospitals to reschedule appointments for some patients. Based in Chicago, CommonSpirit Health is one of America’s largest health systems.

CommonSpirit said in the release, “Upon discovering the ransomware attack, we took immediate steps to protect our systems, contain the incident, begin an investigation, and ensure continuity of care.”

Initially, CommonSpirit described the problem last week as an information technology security issue but didn’t specify that it was a ransomware attack.

CommonSpirit said it has taken some systems offline, including electronic health records, which are a core component of patient care. The system said it has notified law enforcement agencies and also engaged cybersecurity experts to assist with the investigation and response.

“We continue to conduct a thorough forensics investigation and review of our systems and will also seek to determine if there are any data impacts as part of that process,” CommonSpirit said.

Virginia Mason Franciscan Health, part of CommonSpirit Health, said some patient appointments were rescheduled or canceled.

CommonSpirit said systems serving Dignity Health and Virginia Mason Medical Center “have had minimal impacts on operations by this incident.”

“For the other parts of our health system that have seen impacts on operations, we are working diligently every day to bring systems online and restore full functionality as quickly and safely as possible,” CommonSpirit said.

CHI Health, also part of CommonSpirit, said it has had to reschedule some patient appointments and some symptoms are temporarily offline.

CHI Health and Virginia Mason have temporarily suspended access to their patient portals. They said they hope to restore them as soon as possible.

CommonSpirit said its staff is working to mitigate the impact of the disruption.

“Central to our decision-making has been and will continue to be our ability to carry out our mission in a manner that is safe and effective to those we serve,” CommonSpirit said.

The MercyOne health system in Iowa was affected by the incident, the Des Moines Register reported. MercyOne had been jointly operated by CommonSpirit and Trinity Health, but Trinity Health completed the acquisition of MercyOne in September. MercyOne is still using some of CommonSpirit’s technology. Some systems were taken offline, and WHO-TV in Des Moines reported that online scheduling is affected.

CommonSpirit, a nonprofit, Catholic health system, operates 140 hospitals and more than 1,500 care sites in 21 states. The system was created in February 2019 by the merger of Catholic Health Initiatives and Dignity Health.

Hospitals and health systems around the country have been dealing with a growing number of cyberattacks.

Cybersecurity experts say ransomware attacks are rising, because criminals have learned that hospitals are willing to pay to have their services restored.

Crane Hassold, director of threat intelligence at Abnormal Security, a cybersecurity firm, said hospitals have been hit by ransomware attacks for years. Hospitals were some of the early recipients of ransomware attacks, because they were viewed as soft targets, he said. Now ransomware attacks are affecting a wide variety of businesses.

Still, hospitals remain tempting targets, he said.

“They need access to data 24/7,” Hassold said of hospitals and health systems.

“Any disruption is significant,” he said.

Beyond ransomware attacks, hospitals and health systems face a potentially even greater threat in the form of business email compromise, Hassold said. Bad actors may send emails trying to coax an organization’s employee into sending money or revealing confidential information, which could provide access to company accounts.

“When you look at the amount of money lost from cybercrime, business email compromise is far and away the biggest contributor,” Hassold said.

Other cyberattack schemes involve posing as a vendor the system works with regularly, and asking for funds to be directed to a different location, he said.

Millions of Americans have been affected by breaches involving their private health information this year. In the first half of 2022, there were 337 breaches involving at least 500 patient records, according to data from the U.S. Department of Health and Human Services. Some breaches involved hundreds of thousands of records.

Cybersecurity attacks cost hospitals money and manpower. The average healthcare breach cost $10.1 million, nearly $1 million more than last year, according to an IBM report released in July. Cybersecurity attacks also pose threats to patient care, particularly if they delay procedures or make it difficult for clinicians to get vital information from electronic health records, such as allergies to certain drugs.

Smaller hospitals and health systems have also been increasingly targeted by cyberattackers because they have fewer resources protecting their networks, analysts say.