Chain Ransomware Attack on Commonspirit Health IT System Affected 140 Hospitals in 21 States
Possibly the most significant cyber-attack so far: The IT system holding hospital records of about 20 million Americans has been found to be compromised, resulting in cancer treatment appointment delays and ambulance route diversions.
10 October 2022SafeAeon Inc.
CHICAGO (AP) — CommonSpirit Health, an extensive nonprofit health system with 140 hospitals in 21 states, has reported an "IT security issue" that has disrupted operations in several states.
The Chicago-based company, formed in 2019 by the merger of Catholic Health Initiatives and Dignity Health, serves 20 million Americans through more than 1,000 care locations across the country.
If patient data is compromised, this attack could be the most prominent medical cyberattack in US history.
It is unknown how many of the 140 hospitals dispersed over 21 states are affected by the breach, but it has already led to cancer appointments being canceled and ambulances being redirected.
The MercyOne Medical Center in Iowa and the second-best medical center in the state of Washington, Virginia Mason Medical Center, are among several that have been impacted.
The St. Michael Medical Center in Washington and the CHI Memorial Hospital in Tennessee had to postpone necessary surgeries, including CT scans for brain bleeds.
Kathy Kellog, a patient from Washington, was among those impacted. She experienced a minimum five-day delay in her surgery to remove a malignant tumor on her tongue. Her husband Mark told KING-TV, "everything we do today is all on a computer, and without it, you're back to the stone era writing on a tablet." One of the many facilities that took systems offline due to the hack was the hospital they were visiting, Virginia Mason Medical Center.
According to the Des Moines Register, the event happened on Monday and necessitated the transfer of ambulances from the Mercy One Medical Center's emergency room to other hospitals. The Chattanoogan noted that affected facilities included CHI Memorial Hospital.
In a statement released on Tuesday, July 4, 2022, CommonSpirit stated that it has rescheduled some patient visits and taken "some IT systems offline," including electronic health records, as a precaution. It would not specify whether access to patient records occurred. It also didn't determine when the alleged breach was discovered.
The U.S. government has identified the healthcare industry as one of 16 key infrastructure sectors, and healthcare providers are seen as desirable targets for hackers.
Healthcare providers are obligated by law to alert the Department of Health and Human Services if patient data is accessed.