CommonSpirit Health, a Catholic non-profit hospital chain, has confirmed that patient data was accessed during a three-week window earlier this year. CommonSpirit Health operates 142 hospitals and 700 other care sites, though the breach only affected a subset of these facilities were affected.
The attack occurred between September 16, 2022, and October 3, 2022. When the attack was detected, CommonSpirit Health – which is the nation’s second-largest non-profit chain of hospitals – immediately took action and shut off parts of its network to try and contain the damage. Though this caused significant disruption to CommonSpirit’s network, it was necessary to prevent further access to PHI.
CommonSpirit Health has announced that hospitals and clinics that form the entity Virginia Mason Franciscan Health were affected by the attack. These include St. Michael Medical Center, St. Anne Hospital, St. Anthony Hospital, St. Clare Hospital, St. Elizabeth Hospital, St. Francis Hospital, and St. Joseph Hospital.
The attack did not affect Dignity Health, TriHealth, Virginia Mason Medical Center, or Centura Health facilities.
In a Notice of Data Security Incident, CommonSpirit Health has confirmed that patient files were accessed during the ransomware attack. The files that were accessed included details of the patient, their family and carers, home addresses, phone numbers, and identification numbers unique to CommonSpirit Health. Though to date, there is no evidence that the data that was accessed was used maliciously, the hospital chain advised the following:
“It is always prudent for patients to review health care statements for accuracy and report any services or charges that were not incurred to the provider or insurance carrier.”
CommonSpirit Health continues to investigate the incident, and began notifying affected individuals via letters on December 1, 2022.