Chicago-based medical giant CommonSpirit Health has confirmed that an October ransomware attack exposed the personal data of more than 620,000 patients.
CommonSpirit Health, which operates more than 700 care sites and 142 hospitals in 21 states, first confirmed an “IT security issue” on October 5. At the time, the company declined to comment on the nature of the incident, which interrupted access to electronic health records and delayed patient care in multiple regions, and refused to say whether patient information or health data was compromised.
In a December update, CommonSpirit confirmed that the incident was a ransomware attack. The organization said that threat actors gained access to portions of its network between September 16 and October 3 and, during that time, “may have gained access to certain files, including files that contained personal information” belonging to patients who received care or family members of those who received care at Franciscan Health, a 12-hospital affiliate of CommonSpirit Health.
CommonSpirit notes that while its investigation is ongoing, this data includes names, addresses, phone numbers, dates of birth and unique ID numbers used internally by the organization. The company said that attackers did not access medical record numbers of insurance IDs, and says it has seen no evidence that any personal information has been misused as a result of the attack.
The update doesn’t say how many users were impacted by the data breach. However, as first spotted by Bleeping Computer, the U.S. Department of Health data breach portal – where healthcare organizations are legally obligated to report data breaches impacting over 500 individuals – confirms that threat actors accessed the personal data of 623,774 patients during the CommonSpirit ransomware attack.
“Upon discovering the ransomware attack, CommonSpirit quickly mobilized to protect its systems, contain the incident, begin an investigation, and maintain continuity of care,” the company’s updated notice states. “CommonSpirit notified law enforcement and is supporting their ongoing investigation. Once secured, systems were returned to the network with additional security and monitoring tools.”
The company has not yet attributed the attack to a particular ransomware group, and CommonSpirit spokesperson Chad Burns did not immediately respond to our request for comment. TechCrunch has checked the dark leak websites of several major ransomware groups, but none appear to have yet claimed responsibility for the attack.
At least 15 U.S. health systems operating 61 hospitals across the country have been impacted by ransomware so far in 2022, according to Brett Callow, threat analyst at Emsisoft. In at least 12 of these incidents, sensitive data, including personal health information was compromised.