The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

CommonSpirit Health Experiencing Widespread Outage Due to Cyberattack

Posted By on Oct 5, 2022

CommonSpirit Health is experiencing a data security incident that has affected many of its healthcare facilities. According to a statement issued by the health system on October 4, 2022, IT systems have been taken offline as a precautionary step while the incident is investigated, and the exact nature and scope of the incident is determined. A brief update was issued on Wednesday, October 5, 2022, confirming the IT security incident was still impacting some of its facilities and that staff members were operating under its tried and tested emergency protocols and are using pen and paper to record patient information while IT systems are offline.

The incident was detected on October 3, 2022, but little information has been released at this stage about the exact nature of the incident.  CommonSpirit Health said it is doing everything possible to minimize the impact on its patients. Without access to certain IT systems, the decision has been taken to reschedule some appointments while the security incident is mitigated. Some patients have reported that it has not been possible to make new appointments.

Chicago, IL-based CommonSpirit Health is the largest catholic health system in the United States and the second largest non-profit U.S. health system. It was formed in 2019 by the merger of Catholic Health Initiatives (CHI Health) of Colorado and Dignity Health of California. CommonSpirit Health operates 142 hospitals and approximately 1,500 care facilities in 21 states, has around 150,000 employees including 25,000 physicians, and serves more than 21 million patients a year. CommonSpirit Health’s hospitals and healthcare facilities are accessible to around 1 in 4 Americans.

Several CHI Health facilities in Nebraska have confirmed that they are experiencing outages as a result of the incident. MercyOne Des Moines Medical Center in Iowa has also been affected, and the decision was taken to divert ambulances for a short period of time. The incident is also known to have affected hospitals in Tennessee and Washington.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Reports have been received from patients claiming the MyChart tool from Epic Systems has been affected, although a spokesperson for the EHR provider said the issues are only being experienced by CommonSpirit Health. It should be noted that the decision to take the EHR system offline is common when cyberattacks are detected and does not mean the EHR system has been subjected to unauthorized access.

At such an early stage of the investigation it is unclear to what extent, if any, patient information has been affected and the exact nature of the attack has also not been disclosed; however, security researcher Kevin Beaumont said on Twitter that the incident response chatter indicates this was a ransomware attack, which would explain the widespread impact of the incident.

“Cyber incidents targeting the healthcare industry are increasing in frequency, severity, and cost, with significant adverse impacts on patient services and privacy. In 2022, data breaches of healthcare organizations with at least 500 victims are up 78%, with the average breach costing $10 million,” Eoghan Casey, VP of Cybersecurity Strategy & Product Development at OwnBackup, explained to HIPAA Journal.”The CommonSpirit Health cyberattack is just the latest incident that demonstrates the need for healthcare CIOs and CISOs to implement solutions to proactively protect and rapidly restore mission-critical data. Doing this will help secure patient data and mitigate the risks of future attacks, ultimately preventing costly disruptions to operations and the ability to care for patients.”

Further information about the incident will be released by CommonSpirit Health as the investigation progresses, and this article will be updated as further information becomes available.

Update October 12, 2022: CommonSpirit Health Confirms System Outages Caused by Ransomware Attack

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist