CommonSpirit Health says some patient information accessed in ransomware attack

CommonSpirit Health said some patient information was accessed in a ransomware attack earlier this fall.

CommonSpirit, a non-profit, Catholic organization, is one of America’s largest health systems, operating 140 hospitals and more than 1,500 care sites in 21 states.

The system said last week that the breach involved patient information from Virginia Mason Franciscan Health, an affiliated entity of CommonSpirit. Letters to those affected were sent via U.S. mail on Dec. 1, the system said.

CommonSpirit said someone gained access to personal information from Franciscan Health and/or Franciscan Medical Group in Washington state. An investigation determined that hackers gained access to parts of CommonSpirit’s network between September 16, 2022 and October 3, 2022.

• Read more: Hospitals warned or ransomware gang engaged in ‘big game hunting’

To date, CommonSpirit said it has uncovered no evidence that any personal information has been misused as a result of the breach.

Some of the files were related to patients, family members of patients, or caregivers of patients and included names, addresses, phone numbers, dates of birth, and a unique ID used only internally by the organization, CommonSpirit said. The data didn’t include insurance identification numbers or medical record numbers.

CommonSpirit said the data in the files related to patients, relatives or caregivers of patients that may have been seen at Washington state locations including: St. Joseph Hospital (Tacoma); St. Francis Hospital (Federal Way); St. Elizabeth Hospital (Enumclaw); St. Clare Hospital (Lakewood); St. Anthony Hospital (Gig Harbor); St. Anne Hospital, formerly Highline Hospital (Burien); St. Michael Medical Center, formerly Harrison Hospital (Bremerton & Silverdale); and physician clinics associated with Franciscan Health.

In the weeks after the attacks, Virginia Mason Franciscan Health said some patient appointments were rescheduled or canceled. CHI Health, which is part of CommonSpirit, said it had to reschedule some patient appointments and postponed some procedures on a case-by-case basis.

CommonSpirit said it is working with law enforcement in the investigation. The organization said some systems were temporarily taken offline but were later restored with additional security tools.

CommonSpirit disclosed an information technology incident in early October and later revealed the incident was a ransomware attack.

Hospitals and health systems have been hit by more ransomware attacks in recent years. Cybersecurity experts say hospitals are tempting targets, and despite some improvements, remain too vulnerable to attacks. Ransomware gangs have also learned that some hospitals are willing to pay the ransom, experts say, although they advise against it.

Millions of Americans have been impacted by breaches involving personal health information this year, according to data from the U.S. Department of Health and Human Services.

Health systems are finding cyberattacks to be very costly. The average healthcare breach cost $10.1 million, according to an IBM Security report.

Cyberattacks also threaten the safety of patients, particularly if electronic health record systems are required to be taken offline and procedures must be delayed. Industry experts have urged hospitals to view cybersecurity as essential to protecting patient safety.

Read more from Chief Healthcare Executive

How hospitals can improve their cybersecurity

How a rural system improved its cybersecurity