CommonSpirit Health encountered a data security incident on October 3, 2022. Its systems, which include its electronic medical record (EHR) and other crucial IT systems, were taken offline to avoid further damage, control the breach, and stop unauthorized access to sensitive information. CommonSpirit Health released a statement on the next day, explaining that the incident involved an IT issue causing system outages at a few of its hospitals and care centers. CommonSpirit Health is one of the biggest health systems and is the second-biggest non-profit health system in America. It has about 1,500 hospitals and clinics in 21 states. CommonSpirit Health was created from the CHI Health and Dignity Health merger in 2019.
After the security incident, hospitals and care facilities throughout the United States began reporting that they were impacted. This shows that the incident had an impact all over the country. Many CHI Health facilities reported they were impacted and implemented emergency procedures because they lacked access to critical IT systems. Hospitals located in Illinois, Iowa, Nebraska, Washington, and Tennessee all reported that they were affected by the incident.
CHI Health gave a statement about the impact of the CommonSpirit Health incident and that a number of CHI Health facilities had taken their systems offline as a safety measure. Because of patient safety issues, it was decided to end, delay, or reschedule a number of patient consultations and procedures, to temporarily suspend access to the patient portal, and to follow offline procedures for operations and handling prescription drugs.
These steps were essential to control the attack and stop the impact on systems; nevertheless, they are having a considerable effect on patients, who encounter slowdowns in getting health care. A lot of people are likewise having difficulties obtaining the medicines they require to deal with their medical conditions. MercyOne, the manager of 230 healthcare centers in Iowa, stated the incident shut down its online booking system, which has kept the system from being utilized to book online visits in Central Iowa.
A number of people claiming to be staff members and patients of CommonSpirit Health have expressed their concerns on social media websites. Patients have stated they could not get health care and prescribed medications, which include drugs for dealing with cancer at home. Persons claiming to be workers have mentioned having nightmares because of needing to use paper charts. A nurse shared on Reddit that employees at the hospital could not access the Downtime Epic EHR system to view patient records, and the pharmacy cannot confirm orders and needed to manually write labels. Labs were also handwritten and faxed. Eleven days have passed since the incident and the IT systems remain offline.
No information was released at first regarding the precise nature of the incident. However, security researcher Kevin Beaumont tweeted immediately after the incident that it was a ransomware attack as confirmed now by CommonSpirit Health.
CommonSpirit Health mentioned in a new update that the incident is a continuing occurrence and the response is being handled, with support provided by top-rated cybersecurity experts. The Department of Health and Human Services, law enforcement, and other government bodies were already informed about the attack and are giving assistance.
CommonSpirit Health mentioned that all throughout the response, the main concern is to continue to offer the best quality of patient care and make sure of patient safety. Ongoing forensic investigation is determining the scope of the attack and a systems review is being done to find out whether there was any information affected. That process may take a while and additional data will be accessible when results were taken from the investigation.
CHI Health facilities were impacted and are still dealing with disruption. According to CommonSpirit Health, it is doing everything to restore systems online and will reestablish services as soon as possible. CommonSpirit Health has stated that there was little effect on the systems utilized by Virginia Mason Medical Center and Dignity Health.