Breach of CommonSpirit Health Patient Data in October 2022 Cyberattack

CommonSpirit Health has updated its October 2022 ransomware attack and affirmed that the threat actors responsible for the attack viewed files that contain patient data.

CommonSpirit Health detected the attack on October 2, 2022, and took immediate action to protect its network. The attack disrupted its healthcare services because systems were taken off the internet to limit the impact of the incident. Nevertheless, the incident did not affect patient care, clinic, and associated systems at Virginia Mason Medical Center, Dignity Health, Centura Health and TriHealth facilities. The forensic investigation affirmed that the threat actors accessed its network from September 16, 2022, to October 3, 2022.

CommonSpirit Health has already confirmed that the threat actors acquired access to sections of its network that contain files with the protected health information (PHI) of patients from Franciscan Medical Group and Franciscan Health located in Washington state. Patients that received healthcare services from these hospitals were also affected:

  • St. Anne Hospital (previously Highline Hospital)
  • St. Michael Medical Center (previously Harrison Hospital)
  • St. Anthony Hospital
  • St. Elizabeth Hospital
  • St. Clare Hospital
  • St. Joseph Hospital
  • St. Francis Hospital

Those facilities are currently recognized collectively as Virginia Mason Franciscan Health, which is CommonSpirit Health’s affiliate.

ComnmonSpirit Health has stated that the impacted files included the following data of patients along with their loved ones and caregivers: names, telephone numbers, dates of birth, addresses, and unique internal patient identifiers. To date, there is no proof found that indicates attempted or actual misuse of the information kept on its systems.

CommonSpirit Health stated most of the EHRs throughout the CommonSpirit Health system and patient portals are already accessible online. The analysis of impacted files is still in progress and the number of affected individuals is not yet confirmed. CommonSpirit Health has advised patients to review their account statements for correctness and to report any services or transactions that were not charged to their healthcare provider or insurance company.