Fraud Management & Cybercrime , Healthcare , Industry Specific

CommonSpirit: Patients' Data Breached in Ransomware Attack

7 Hospitals Affected by Breaches So Far; CommonSpirit Is Still Reviewing Data Files
CommonSpirit: Patients' Data Breached in Ransomware Attack
St. Anne Hospital in Burien, Washington is one of seven hospitals for which patient data was compromised in a recent CommonSpirit ransomware incident. (Image: Virginia Mason Franciscan Health)

Patients of at least seven hospitals in Washington state affiliated with CommonSpirit have been affected by a data breach involving the hospital chain's October ransomware incident.

See Also: NHS Ransomware Attack: Healthcare Industry Infrastructures Are Critical

Even more hospitals and their patients might also be among those affected by breaches as the Chicago-based medical giant continues to investigate the incident and review files compromised in the attack.

In a Thursday statement, CommonSpirit says data files from seven hospitals - collectively called Virginia Mason Franciscan Health, an affiliated entity of CommonSpirit - were compromised in the ransomware incident that was detected on Oct. 2.

CommonSpirit says its investigation determined that an unauthorized third party gained access to certain portions of the organization's network between Sept. 16 and Oct. 3. "During that time, the unauthorized third party may have gained access to certain files, including files that contained personal information."

The seven hospitals are St. Michael Medical Center, St. Anne Hospital, St. Anthony Hospital, St. Clare Hospital, St. Elizabeth Hospital, St. Francis Hospital and St. Joseph Hospital.

CommonSpirit did not immediately respond to Information Security Media Group's request for additional information, including the total number of Virginia Mason Franciscan Health patients affected.

Breach Reports

As of Wednesday, the U.S. Department of Health and Human Services' HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals did not yet show any breach reports posted involving the CommonSpirit incident.

That includes no breach reports from Des Moines, Iowa-based MercyOne, which was also affected by the CommonSpirit ransomware incident. MercyOne was previously jointly owned by CommonSpirit and Michigan-based Trinity Health before being acquired by Trinity Health this year.

MercyOne still uses CommonSpirit's IT systems, and the Iowa-based entity's electronic health records access and other application functionality were affected for several weeks following the ransomware incident.

A MercyOne spokeswoman tells ISMG that its IT systems are back online but says to direct questions to CommonSpirit about whether MercyOne will report a breach involving the ransomware attack.

"We're not able to expand on those points at this time," a CommonSpirit spokesman tells ISMG.

MercyOne will transition away from CommonSpirit's IT systems and onto Trinity Health's platforms in March, the MercyOne spokeswoman tells ISMG.

Trinity Health did not immediately respond to ISMG's request for comment.

Risk Factors

CommonSpirit Health is the product of a 2019 merger between Catholic Health Initiatives and Dignity Health.

Mergers and acquisitions in the healthcare sector are common, but they come with a variety of risks, says Steve Cagle, CEO of privacy and security consultancy Clearwater, which completed its own acquisition this year of consulting firm CynergisTek.

He says that in the pre- and post-acquisition stages, we need to think about "our strategy for assessing and managing IT security risk."

Prior to an acquisition, thorough due diligence of IT security risk is essential, Cagle says. And post-acquisition, "you really need to be thinking of governance … and how your security program throughout that integration is going to drive the business objectives that are driving the acquisition in the first place."

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.