CommonSpirit Health

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

CommonSpirit Health, the second-largest nonprofit health system in the United States, experienced a significant cybersecurity breach that was first announced in October 2022. This ransomware attack was initially thought to have affected a limited number of facilities, but subsequent investigations revealed that its impact was much more extensive. Over 100 facilities in 13 states were affected, compromising the protected health information of more than 623,700 individuals[1][7]. The breach led to disruptions in patient care and significant financial losses for CommonSpirit Health.

Extent of the Breach

The attack targeted various types of data, including demographic, medical, billing, and insurance information. Specifically, demographic data such as names, addresses, and dates of birth were accessed. The breach impacted facilities across the country, with a notable number in Texas, Nebraska, North Dakota, Kentucky, and Washington state, among others[1]. The unauthorized access occurred between September 16 and October 3, 2022, with the attackers gaining entry to the network and copying data from file-share servers[7].

Financial Impact

The financial fallout from the cyberattack was substantial. CommonSpirit Health estimated the cost of the breach at approximately $160 million, which included losses from business disruption, remediation costs, and other related expenses[3][4]. This figure was an increase from an initial estimate of $150 million. The breach affected revenues in four of CommonSpirit’s nine regional divisions and led to a significant operating loss for the fiscal year 2023[3].

Legal and Regulatory Aftermath

In response to the breach, CommonSpirit Health faced several class-action lawsuits alleging negligence for failing to protect sensitive health and personal information[3]. The health system reported the incident to the U.S. Department of Health and Human Services’ Office for Civil Rights as a HIPAA breach, and it is under investigation[1]. Despite the challenges, CommonSpirit began notifying affected individuals and took steps to strengthen its data protection practices to prevent future incidents[1].

Conclusion

The CommonSpirit Health data breach underscores the vulnerabilities in the healthcare sector to cyberattacks and the extensive impact such incidents can have on patient care, financial stability, and legal standing. It highlights the importance of robust cybersecurity measures and the need for continuous vigilance and improvement in protecting sensitive health information.

Citations:

  1. https://www.fiercehealthcare.com/health-tech/commonspirit-health-reported-it-security-incident-affecting-facilities-wash-neb-and
  2. https://www.modernhealthcare.com/providers/commonspirit-health-data-breach-full-extent-now-revealed
  3. https://www.bankinfosecurity.com/commonspirit-details-financial-fallout-160m-cyberattack-a-23158
  4. https://www.cshub.com/attacks/news/commonspirit-health-reports-that-ransomware-attack-cost-160-million
  5. https://phoenixnap.com/blog/commonspirit-health-ransomware-attack
  6. https://www.commonspirit.org/notice-of-data-security-incident
  7. https://www.healthcaredive.com/news/scope-commonspirit-data-breach-larger/647198/
  8. https://www.hipaajournal.com/commonspirit-health-increases-ransomware-attack-cost-estimate-to-160-million/
  9. https://www.bleepingcomputer.com/news/security/commonspirit-health-ransomware-attack-exposed-data-of-623-000-patients/
  10. https://www.idstrong.com/sentinel/people-panicking-in-the-aftermath-of-commonspirit-health-parent-company-hack/
  11. https://www.beckershospitalreview.com/cybersecurity/the-commonspirit-ransomware-attack-1-year-later.html
Breach Submission Date Dec 01, 2022
Converted Entity Name CommonSpirit Health
Converted Entity Type Business Associate
State IL
Individuals Affected 623,774
Breach Type Hacking/IT Incident

Breach Information Location Network Server

Business Associate Present Yes