CommonSpirit Health Breached, Over 623,000 Patients’ Data Exposed
The Compromised Data Includes Full Names, Addresses, Phone Numbers and More.
Following an October ransomware attack, CommonSpirit Health confirmed that malicious actors accessed the personal information of 623,774 patients. This statistic was posted on the U.S. Department of Health breach portal, where healthcare providers are legally required to report incidents that affect more than 500 patients.
With 140 hospitals and more than 1,000 care locations spread across 21 states, CommonSpirit Health is the second-largest health system in the country, so any disruption in its activity can have a significant impact.
The non-profit health system first disclosed to the public in early October that is facing a cyberattack, but on the 1st of December, the company confirmed that its IT infrastructure was breached by ransomware actors. The number of patients affected was not published at the time, but the organization promised to notify all patients that were affected via email.
As you are aware, on October 2, 2022, CommonSpirit Health experienced a ransomware attack that impacted some of our systems. Our ongoing investigation shows that the unauthorized third party gained access to certain files, including files that contained personal information.
While our review of these files is ongoing, we identified that some of these files contained personal information for individuals who may have received services in the past, or affiliates of those individuals, from Franciscan Medical Group and/or Franciscan Health in Washington state.
The data breach exposed the following information:
- Full name
- Phone number(s)
- Date of birth
- And a unique ID that is used only internally by the organization (not the Medical Record Number or insurance ID).
The breach occurred between September 16 and October 3, 2022, according to the notification sent to affected individuals, which is the period of time the ransomware actors had unauthorized access to CommonSpirit Health’s network, explains Bleeping Computer.
CommonSpirit has established a dedicated call center to answer all questions about the ransomware incident. The company has not yet identified the ransomware group responsible for the attack, as the investigation is ongoing. Meanwhile, no ransomware group has claimed the attack.
All updates on the CommonSpirit Health’s data breach are available here, and the list of cases under investigation reported within the last 24 months to the U.S. Department of Health can be accessed here.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.