CommonSpirit Health Provides Update on October 2022 Ransomware Attack

Over 160 different facilities were affected by the incident.

By HFT Staff


CommonSpirit Health has issued an update about its October 2022 ransomware attack and has confirmed that patients from 164 facilities were affected by the attack and had their sensitive data exposed or stolen. CommonSpirit Health detected the ransomware attack on October 2, 2022, and the forensic investigation revealed unauthorized individuals had access to its systems between September 16, 2022, and October 3, 2022. 

In December 2022, CommonSpirit Health confirmed that the threat actor responsible for the attack had stolen patient data prior to encrypting files and said patients of Franciscan Medical Group/Franciscan Health and Virginia Mason Franciscan Health facilities had been affected. Those individuals were notified about the data breach in December. In February 2023, CommonSpirit Health issued a further update confirming the attackers also obtained the data of patients of St. Luke’s Diagnostic Cath Lab, Diagnostic Heart Center in Houston, TX, and sent notifications to those individuals in February. 

The latest update on the ransomware attack was issued on April 6, 2023, and confirmed that the breach affected patients who had received care at certain facilities operated by Catholic Health Initiatives, Dignity Health, Centura Health, and MercyOne and shared a list of 164 hospitals and care sites that are known to have been affected. The investigation confirmed that the attackers had access to two file servers that contained files that included patient data such as names, addresses, birth dates, phone numbers, email addresses, dates of service, medical record numbers, healthcare provider names, diagnosis/treatment information, medical billing/claims information, patient facility associated account/encounter numbers, and health insurance information and, for a small number of individuals, Social Security numbers. 

CommonSpirit Health said the delay in issuing the latest notifications was due to the incredibly time-consuming review of all files stored on those file servers to determine if they contained patient data, and which patients had been affected. The initial phase of that process was completed on February 21, 2023, and then accurate address information needed to be found to allow notifications to be sent. 

CommonSpirit Health reported the data breach to the HHS’ Office for Civil Rights on December 1, 2022, as affecting 623,774 individuals.  That total has not been updated since, and CommonSpirit Health has not publicly confirmed at this stage exactly how many individuals have been affected. Given the number of hospitals now known to have been affected, that total is likely to increase by a substantial amount. 



April 19, 2023


Topic Area: Information Technology


Recent Posts

Disinfectant Dispensers in Healthcare Facilities Often Fail to Deliver Safe Concentrations: Study

Study of 10 hospitals finds 90 percent have at least one dispenser delivering disinfectants at incorrect concentrations.


Duke University Health System Receives $50 Million for Proton Beam Therapy Center

The donation is the largest philanthropic gift received by Duke University Health System.


UT Southwestern Experiences Data Breach Through Calendar Tool

The incident occurred in October.


Protecting Patient Data: Strategies and Tactics

As cyber threats and breaches grow, healthcare organizations and facilities need a better approach to cybersecurity.


Duke Health to Acquire Lake Norman Regional Medical Center

The closing is projected for the first quarter of 2025.


 
 


FREE Newsletter Signup Form

News & Updates | Webcast Alerts
Building Technologies | & More!

 
 
 


All fields are required. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

 
 
 
 

Healthcare Facilities Today membership includes free email newsletters from our facility-industry brands.

Facebook   Twitter   LinkedIn   Posts

Copyright © 2023 TradePress. All rights reserved.