CommonSpirit Health Updates Privacy Breach Notice Leave a comment
Chicago-based CommonSpirit Health updated its privacy breach notice on April 6. The notice says that last year’s ransomware attack affected Catholic Health Initiatives and Dignity Health facilities, as well as Centura Health and MercyOne (Iowa).
The notice says that “While the unauthorized third party did not retrieve data directly from CommonSpirit’s Electronic Medical Records systems, during that time, the unauthorized third party obtained copies of some of the data on our systems, including files from two file share servers that contained some individuals’ information. CommonSpirit had used the data on the file share servers in performing various operational functions, and some of the data dates back several years. With respect to the data on the file share servers, determining what and whose data was impacted has required a detailed and time-consuming review of each individual file on each file server to identify the specific individuals whose information may have been impacted, and the type of information associated with each such individual. The initial phase of this part of the investigation was completed on February 21, 2023. Once this component of the review concluded, we worked to identify, when possible, the current and past CommonSpirit location(s) associated with the data. We then worked to identify accurate address information to provide notice to potentially affected individuals and only recently completed these efforts.”
“The information in the files included demographics such as name, address, date of birth, phone number(s), email address, as well as medical information such as dates of service, medical record number, healthcare provider’s name, diagnosis/treatment information, medical billing/claims information, patient’s facility associated account/encounter number, and health insurance information. For a small number of individuals, Social Security Number was also involved,” the notice adds.
CommonSpirit began notifying individuals impacted by the file share server data by U.S. mail on April 6.
CommonSpirit, the second-largest nonprofit health system in the U.S., has 140 hospitals across 21 states and more than 1,000 facilities. Journalists began reporting on an “IT security issue” on Oct. 3, 2022. Shortly after, Healthcare Innovation spoke with cybersecurity expert and former Stanford Children’s Health CISO Chad Wilson, to get his perspective on the incident. Wilson says his initial thought is that “It’s a disaster. And an unfortunate one. As a CISO, this is something you don’t want to see happen”
On Nov. 10, 2022, we reported that CommonSpirit updated its website with a statement on Nov. 9 regarding its recent ransomware attack. The organization says that providers in the majority of markets now have access to their EHRs across the CommonSpirit Health system, including at hospitals and clinics.
On Dec. 2, 2022, we reported that CommonSpirit Health updated its website regarding its October ransomware attack. The ongoing investigation has found that an unauthorized third party accessed files that include personal information from one if its affiliates, Seattle-based Franciscan Medical Group and/or Franciscan Health in Washington state.
