CommonSpirit Health has confirmed that threat actors accessed the personal data for 623,774 patients during an October ransomware attack.
This figure was published today on the U.S. Department of Health breach portal, where healthcare organizations are legally obligated to report data breaches impacting over 500 individuals.
At the start of October, the Illinois-based non-profit health system first informed the public of a cyberattack that took down its IT systems.
CommonSpirit Health is the second largest health system in the United States, operating 140 hospitals and over 1,000 care sites across 21 states, so any disruption in its operation has widespread impact potential.
On December 1, 2022, the organization published the latest results of its internal investigation on the security incident, admitting that the ransomware actors had accessed patient data for the first time.
“Our ongoing investigation shows that the unauthorized third party gained access to certain files, including files that contained personal information,” reads the announcement.
“While our review of these files is ongoing, we identified that some of these files contained personal information for individuals who may have received services in the past, or affiliates of those individuals, from Franciscan Medical Group and/or Franciscan Health in Washington state.” – CommonSpirit Health.
The type of data that was compromised includes:
date of birth,
and a unique ID used only internally by the organization
The company clarified that insurance IDs and medical record numbers could not have been exposed to the ransomware actors.
The organization promised to contact all impacted individuals with notifications but didn’t disclose the number of affected patients at the time.
In the notification sent to impacted individuals, the company said the data was exposed on September 16 through October 3, 2022, which is the time during which the ransomware actors maintained unauthorized access to CommonSpirit Health’s network.
At this time, CommonSpirit Health has not disclosed the ransomware group that conducted the attack, and no criminal operation has claimed responsibility.