CommonSpirit Health Provides Update on October 2022 Ransomware Attack

Over 160 different facilities were affected by the incident.

By HFT Staff
April 19, 2023

CommonSpirit Health has issued an update about its October 2022 ransomware attack and has confirmed that patients from 164 facilities were affected by the attack and had their sensitive data exposed or stolen. CommonSpirit Health detected the ransomware attack on October 2, 2022, and the forensic investigation revealed unauthorized individuals had access to its systems between September 16, 2022, and October 3, 2022. 

In December 2022, CommonSpirit Health confirmed that the threat actor responsible for the attack had stolen patient data prior to encrypting files and said patients of Franciscan Medical Group/Franciscan Health and Virginia Mason Franciscan Health facilities had been affected. Those individuals were notified about the data breach in December. In February 2023, CommonSpirit Health issued a further update confirming the attackers also obtained the data of patients of St. Luke’s Diagnostic Cath Lab, Diagnostic Heart Center in Houston, TX, and sent notifications to those individuals in February. 

The latest update on the ransomware attack was issued on April 6, 2023, and confirmed that the breach affected patients who had received care at certain facilities operated by Catholic Health Initiatives, Dignity Health, Centura Health, and MercyOne and shared a list of 164 hospitals and care sites that are known to have been affected. The investigation confirmed that the attackers had access to two file servers that contained files that included patient data such as names, addresses, birth dates, phone numbers, email addresses, dates of service, medical record numbers, healthcare provider names, diagnosis/treatment information, medical billing/claims information, patient facility associated account/encounter numbers, and health insurance information and, for a small number of individuals, Social Security numbers. 

CommonSpirit Health said the delay in issuing the latest notifications was due to the incredibly time-consuming review of all files stored on those file servers to determine if they contained patient data, and which patients had been affected. The initial phase of that process was completed on February 21, 2023, and then accurate address information needed to be found to allow notifications to be sent. 

CommonSpirit Health reported the data breach to the HHS’ Office for Civil Rights on December 1, 2022, as affecting 623,774 individuals.  That total has not been updated since, and CommonSpirit Health has not publicly confirmed at this stage exactly how many individuals have been affected. Given the number of hospitals now known to have been affected, that total is likely to increase by a substantial amount. 

See the latest posts on our homepage Share

Topic Area: Information Technology

Recent Posts
Recent Posts

Can Adding Moisturizer to Hand Soaps Help Fight Skin Irritation from Frequent Handwashing?

Soap manufacturers join to discuss what kind of moisturizers can be included in hand soaps.


Albany ENT & Allergy Services Targeted by Two Ransomware Groups

The protected health information of over 220,000 individuals was accessed.


Novant Health Breaks Ground on Scotts Hill Medical Center Project

The new facility aims to be a one-stop healthcare destination.


Heat Pump Installation Reduces Costs, Improves Efficiencies

University Health Network’s Bickle Center finds success with heat recovery alternative.


Man Dies After Falling Out of Hospital Window

A man fell out of a hospital window after threatening hospital staff and a police officer.



News & Updates • Webcast Alerts • Building Technologies

All fields are required.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

You Might Like