CommonSpirit Health reports IT security issue; hospitals affected, some patient appointments rescheduled

The nonprofit system said it has taken some systems offline, and that could include some electronic health records.

CommonSpirit Health, one of America’s largest healthcare systems, says it is dealing with an information technology security issue.

The health system said in a statement the issue “is impacting some of their facilities.” Some patient appointments have been rescheduled, CommonSpirit said.

CommonSpirit is taking some of its IT systems offline, and that could include its electronic health records and other systems, the organization said.

Patients will be contacted by their providers or their healthcare facilities if their appointments are going to need to be rescheduled.

“We take our responsibility to ensure the security of our IT systems very seriously. As a result of this issue, we have rescheduled some patient appointments,” CommonSpirit said in a statement.

Based in Chicago, CommonSpirit is a nonprofit, Catholic health system that operates 140 hospitals and more than 1,500 care sites in 21 states. The system was created in February 2019 by the merger of Catholic Health Initiatives and Dignity Health.

The MercyOne health system has also been affected by the incident, the Des Moines Register reported. MercyOne had been jointly operated by CommonSpirit and Trinity Health until just a little more than a month ago. Trinity Health completed the acquisition of MercyOne in September, but MercyOne is still using some of CommonSpirit’s technology as the integration with Trinity continues, the Des Moines Register reported.

MercyOne Des Moines Medical Center shut down some of its information technology systems, including its electronic health records, the Register reported.

CHI Health, which is owned by CommonSpirit Health, has been affected by an IT security incident affecting its electronic health records, The Omaha World-Herald reported. CHI Health facilities in Omaha — including Lakeside Hospital, Creighton University Medical Center-Bergan Mercy and Immanuel Medical Center — have been impacted, the paper reported.

CHI Memorial in Chattanooga, Tennessee has also been affected, prompting the system to reschedule some patient procedures, The Chattanoogan reported.

In the Seattle area, Virginia Mason Franciscan Health computer networks were offline this week, with staff having no access to electronic medical records and services and having difficulties getting lab results, The News-Tribune reported. Some patients were having appointments rescheduled.

Hospitals and health systems around the country have been dealing with a growing number of cyberattacks. Cybersecurity experts say ransomware attacks are rising, largely because criminals have learned that health systems are often willing to pay to have their services restored.

Millions of Americans have been affected by breaches involving private health information this year. In the first half of 2022, there have been 337 breaches involving a minimum of 500 patient records, according to data from the U.S. Department of Health and Human Services.

Cybersecurity attacks are costly to hospitals. The average healthcare breach cost $10.1 million, nearly $1 million more than last year, according to an IBM report released in July.

While many larger health systems have been breached, industry analysts say that smaller hospital and healthcare organizations have been frequent targets of cyberattacks. Ransomware groups know smaller hospitals have fewer resources to protect their systems and are easier targets, experts say.

Healthcare experts have pointed to the cost of cyberattacks in dollars and manpower. John Riggi, the American Hospital Association’s national adviser for cybersecurity, told Chief Healthcare Executive in April there should be greater attention paid to the threat to patient safety.

If hospitals can’t access electronic records and are delaying procedures or diverting ambulances, that’s a credible threat, Riggi said. “You increase the risk clearly of a negative medical outcome or death,” he said.