Patients’ PHI Affected by CommonSpirit Health Ransomware Attack and Suncoast Skin Solutions Data Breach

CommonSpirit Health has reported the exposure and potential theft of the protected health information (PHI) of about 623,774 patients because of a
ransomware attack in October 2022. CommonSpirit Health initially announced that it encountered a cyberattack last October 4, 2022, and is posting frequent updates on its site as soon as addtional information regarding the attack is available. The provider discovered the attack on October 2, 2022 and the investigation confirmed that the attackers got access to areas of its system from September 16 to October 3.

The most recent update, released on December 1, 2022, stated that the persons responsible for the attack viewed the information of patients who got healthcare services previously, or affiliates of those persons, from Franciscan Medical Group and/or Franciscan Health (known today as Virginia Mason Franciscan Health) located in Washington state, which includes patients of St. Anne Hospital (previously Highline Hospital), St. Joseph Hospital, St. Michael Medical Center (previously Harrison Hospital), St. Anthony Hospital, St. Elizabeth Hospital, St. Clare Hospital, and St. Francis Hospital.

The breached information consists of names, internal patient IDs, addresses, telephone numbers, and birth dates. CommonSpirit Health mentioned that the breach had no impact on Dignity Health, TriHealth, Centura Health, or Virginia Mason Medical Center facilities.

75,992-Record Data Breach Reported by Suncoast Skin Solutions

Suncoast Skin Solutions based in a Lutz, FL is a medical and cosmetic dermatology practice network. It just began informing its patients about a cyberattack that it discovered on or about July 14, 2021. The network took prompt action to control the attack. Third-party forensics specialists investigated the incident and confirmed the nature and extent of the data breach.

The investigation was completed on October 21, 2022. It was confirmed that the files on the system included patient information accessed during the attack. Nevertheless, the attack did not affect its electronic medical record system. Initial analysis identified the types of data impacted, which was finished on November 8, 2021. That analysis showed that only old patient information was affected.

Suncoast began issuing notification letters to impacted persons on November 28, 2022. Based on the breach notification letter submitted to the Maine Attorney General by Suncoast, the long delay in sending notification letters was because of the nature and volume of the impacted information. The data mining procedure began in December 2021, and it was completed in October 2022. Suncoast stated that in the beginning, so as to follow the HIPAA Breach Notification Rule, it issued a media notice about the data breach on January 7, 2022 and posted it on its website.

The potentially compromised information included names, birth dates, clinical data, doctor’s records, and some treatment data. Credit monitoring services were provided to impacted persons. Suncoast sent the breach report to the HHS’ Office for Civil Rights in July indicating that 57,730 persons were impacted. The new notification sent to the Maine Attorney General shows that 75,992 persons were impacted.