CommonSpirit Health, one of the nation’s largest health systems, confirmed it was hit by a ransomware attack that has interrupted access to electronic health records and delayed patient care in multiple regions.
The health system is still grappling with the cyberattack more than a week after it first disclosed it was dealing with an unspecified “IT security incident.” The hospital chain said it is working to bring systems back online as quickly as possible.
“... we are providing relevant updates on the ongoing situation to our patients, employees, and caregivers,” CommonSpirit said in a Wednesday statement. Upon discovering the ransomware attack, “we took immediate steps to protect our systems, contain the incident, begin an investigation, and ensure continuity of care.”
The health system operates 142 hospitals and 2,200 care sites in 21 states.
CommonSpirit hospital locations
Dignity Health and Virginia Mason Medical Center in Seattle have had minimal impacts. Dignity Health’s footprint is concentrated in California, Nevada and Arizona.
After combing through CommonSpirit’s locations, Healthcare Dive found health systems in seven states that had banners displayed on their websites warning of an ongoing IT issue, providing a clue on the scope of the issue.
- CHI Saint Joseph Health - Kentucky
- CHI Health - Nebraska
- CHI Health - Iowa
- CHI St. Alexius Health - North Dakota
- CHI St. Gabriel's Health - Minnesota
- CHI St. Luke's - Texas
- CHI Baylor St. Luke's - Texas
- Virginia Mason Franciscan Health - Washington
Law enforcement was notified of the cyberattack, the system said.
CommonSpirit has launched a forensics investigation to determine the data impacts and said it tapped leading cybersecurity specialists to help.
“The fact that this has turned out to be a ransomware incident is not at all surprising,” Brett Callow, a threat analyst at security firm Emsisoft, said. “What remains to be seen is how quickly CommunitySpirit can recover its systems and resume normal operations and whether or not any data was stolen during the attack. If data was stolen, the attackers will likely use the threat of releasing it online as additional leverage to try to extort payment.”
The Chicago-based organization is not the first health system to deal with a ransomware attack.
Attackers in 2021 disrupted operations at Scripps Health for several weeks and stole patient information from about 150,000 patients, according to Fierce Healthcare. The ransomware attack cost Scripps Health $113 million in lost revenue and higher expenses, according to S&P Global Ratings.
Universal Health Services operations were disrupted by attackers in 2020, which cost the system $67 million.