CommonSpirit Health Provides Update on October 2022 Ransomware Attack

Over 160 different facilities were affected by the incident.

By HFT Staff

CommonSpirit Health has issued an update about its October 2022 ransomware attack and has confirmed that patients from 164 facilities were affected by the attack and had their sensitive data exposed or stolen. CommonSpirit Health detected the ransomware attack on October 2, 2022, and the forensic investigation revealed unauthorized individuals had access to its systems between September 16, 2022, and October 3, 2022. 

In December 2022, CommonSpirit Health confirmed that the threat actor responsible for the attack had stolen patient data prior to encrypting files and said patients of Franciscan Medical Group/Franciscan Health and Virginia Mason Franciscan Health facilities had been affected. Those individuals were notified about the data breach in December. In February 2023, CommonSpirit Health issued a further update confirming the attackers also obtained the data of patients of St. Luke’s Diagnostic Cath Lab, Diagnostic Heart Center in Houston, TX, and sent notifications to those individuals in February. 

The latest update on the ransomware attack was issued on April 6, 2023, and confirmed that the breach affected patients who had received care at certain facilities operated by Catholic Health Initiatives, Dignity Health, Centura Health, and MercyOne and shared a list of 164 hospitals and care sites that are known to have been affected. The investigation confirmed that the attackers had access to two file servers that contained files that included patient data such as names, addresses, birth dates, phone numbers, email addresses, dates of service, medical record numbers, healthcare provider names, diagnosis/treatment information, medical billing/claims information, patient facility associated account/encounter numbers, and health insurance information and, for a small number of individuals, Social Security numbers. 

CommonSpirit Health said the delay in issuing the latest notifications was due to the incredibly time-consuming review of all files stored on those file servers to determine if they contained patient data, and which patients had been affected. The initial phase of that process was completed on February 21, 2023, and then accurate address information needed to be found to allow notifications to be sent. 

CommonSpirit Health reported the data breach to the HHS’ Office for Civil Rights on December 1, 2022, as affecting 623,774 individuals.  That total has not been updated since, and CommonSpirit Health has not publicly confirmed at this stage exactly how many individuals have been affected. Given the number of hospitals now known to have been affected, that total is likely to increase by a substantial amount. 

April 19, 2023

Topic Area: Information Technology

Recent Posts

HVAC Innovations to Help Achieve Net Zero and Decarbonization Goals

HVAC manufacturers discuss the latest in sustainable innovations.

Addressing a Months-Long CPE Outbreak

Study follows infection prevention efforts of contaminated sinks and plumbing at Tokyo hospital.

KAI Finishes SSM Health Outpatient Center Expansion in Missouri

The recently completed 15,600-square-foot clinic is more than double the size of its previous space.

Lawrence Group Works on New Missouri Ronald McDonald House

The new facility is expected to open in summer 2024.

Infection Prevention for 'Near Patient' Surfaces

Six core components for cleaning and disinfecting the bed and 36 inches around it.


FREE Newsletter Signup Form

News & Updates | Webcast Alerts
Building Technologies | & More!


All fields are required. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.