CommonSpirit Health Confirms System Outages Caused by Ransomware Attack
On October 3, 2022, CommonSpirit Health experienced a data security incident that forced it to take systems offline, including its electronic medical record (EHR) and other critical IT systems. These steps were taken to protect systems from damage, contain the breach, and prevent unauthorized access to sensitive data. CommonSpirit Health issued a statement on October 4, 2022, that provided a brief explanation of the incident, stating there was an IT issue that was being investigated that had resulted in system outages at some of its hospitals and care facilities. CommonSpirit Health is one of the nation’s largest health systems and is the second-largest non-profit health system in the United States, consisting of around 1,500 clinics and hospitals in 21 states. CommonSpirit Health was formed by the merger of CHI Health and Dignity Health in 2019.
Soon after the incident, hospitals and other care facilities across the United States started to confirm that they had been affected, with it clear that this incident was having an impact nationwide. Several CHI Health facilities confirmed they had been affected and were operating under emergency procedures due to the lack of access to essential IT systems. Hospitals in Iowa, Illinois, Nebraska, Tennessee, and Washington all stated that the incident has affected them.
CHI Health issued a statement confirming the incident at CommonSpirit Health was having an impact and some CHI Health facilities, and that as a precautionary step, some of its systems were taken offline. Due to patient safety concerns, the decision was taken to cancel, postpone, or reschedule some patient appointments and procedures, access to the patient portal was temporarily suspended, and offline procedures were being followed for processing and managing prescription medications.
These measures were necessary to contain the attack and prevent damage to systems; however, they are having a significant impact on patients, who face delays in receiving medical care. Many are also struggling to get the medications they need to manage their health conditions. MercyOne, the operator of 230 healthcare facilities in Iowa, said the incident took its online scheduling system offline, which has prevented the system from being used to schedule online appointments in Central Iowa.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Several individuals claiming to be employees and patients of CommonSpirit Health have taken to social media sites to voice their concerns. Patients have claimed they have been unable to obtain medical care and prescriptions, including medications for managing cancer at home. Individuals claiming to be employees have explained that it has been a nightmare for staff due to having to work with paper charts. One nurse took to Reddit to explain that staff at the hospital have been unable to access the Downtime Epic EHR system to see patient histories, with the pharmacy unable to verify orders and having to handwrite labels, with labs having to be handwritten and faxed. It has now been 11 days since the attack and the disruption is still being experienced with IT systems still offline.
Ransomware Attack Confirmed
No details were initially released about the exact nature of the incident, although security researcher Kevin Beaumont said on Twitter shortly after the attack that the incident response chatter he had heard made it clear that this was a ransomware attack. That has now been confirmed by CommonSpirit Health. HIPAA Journal has not been able to establish at this stage which group is responsible for the attack.
CommonSpirit Health said in a recent update that the incident is an ongoing situation and the response is being managed, with assistance provided by leading cybersecurity specialists. Law enforcement, the Department of Health and Human Services, and other authorities have also been notified about the attack and are providing support.
CommonSpirit Health said that throughout the response, the priority has been to continue to provide the highest quality of care to its patients and ensure patient safety. A forensic investigation is underway to determine the extent of the attack and reviews are being conducted of its systems to determine if there has been any data impact. That process could take some time and further information will be made available when conclusions have been drawn from the investigation.
“There is no impact to clinic, patient care and associated systems at Dignity Health, Virginia Mason Medical Center, TriHealth or Centura Health facilities. For the other parts of our health system that have seen impacts on operations, CommonSpirit Health is in the process of restoring those systems that were taken offline,” explained CommonSpirit Health on its website. “As systems come back online, our providers will be able to access their patients’ electronic health records. We are working diligently every day to bring systems online and restore full functionality as quickly and safely as possible.”
