Chicago-based CommonSpirit Health has confirmed that an October ransomware attack exposed the personal data of more than 620,000 patients.
The medical giant, which operates more than 700 care sites and 142 hospitals in 21 states, first confirmed the issue on October 5, though at that time – it declined to comment on the nature of the incident. We do know that it interrupted access to electronic health records and delayed patient care in multiple regions, and now we’ve learned that patient information was compromised during the incident.
Specifically, it was a ransomware attack that gave hackers access to portions of CommonSpirit Health’s network between September 16 and October 3. And during that time, they “may have gained access to certain files, including files that contained personal information” belonging to patients who received care or family members of those who received care at Franciscan Health, a 12-hospital affiliate of CommonSpirit Health.
The data affected includes names, addresses, phone numbers, dates of birth and unique ID numbers used internally by the organization. The company added that attackers did not access medical record numbers of insurance IDs and says it has seen no evidence that any personal information has been misused due to the attack.
They didn’t say how many users were impacted by the breach. However, as first spotted by Bleeping Computer, the U.S. Department of Health data breach portal — where healthcare organizations are legally obligated to report data breaches — threat actors accessed the personal data of 623,774 patients during the CommonSpirit ransomware attack.
“Upon discovering ransomware attack, CommonSpirit quickly mobilized to protect its systems, contain the incident, begin an investigation, and maintain continuity of care,” the company said in the statement. “CommonSpirit notified law enforcement and is supporting their ongoing investigation. Once secured, systems were returned to the network with additional security and monitoring tools.”
The company has not yet attributed the attack to a particular ransomware group, and so far none appear to have yet claimed responsibility for the attack.
At least 15 U.S. health systems operating 61 hospitals across the country have been impacted by ransomware so far in 2022, according to Brett Callow, threat analyst at Emsisoft. In at least 12 of these incidents, sensitive data, including personal health information was compromised.