CommonSpirit Health Updates Estimated Cost from Ransomware Attack

The cost of the October 2022 attack is expected to increase to $160 million.

By HFT Staff

CommonSpirit Health has provided an updated estimate on the cost of its October 2022 ransomware attack, which is expected to increase to $160 million. The ransomware attack was detected by CommonSpirit Health on October 2, 2022, forcing systems to be taken offline. The attack affected over 100 current and former CommonSpirit facilities in 13 states. The forensic investigation determined hackers first gained access to its network on September 16, 2022, and were ejected on October 3, 2022. The attackers stole data from two file servers, although they did not gain access to its medical record system. The stolen files contained the protected health information of almost 624,000 patients. 

CommonSpirit Health operates 143 hospitals and around 2,300 other healthcare facilities in 22 states and is the second-largest non-profit health system in the United States. CommonSpirt’s first quarter results show total revenues from the 3 months to March 31, 2023, of $8.3 billion, and $25.6 billion for the 9 months to March 31. In the first quarter of 2023, CommonSpirit reported $648 million in operating losses and $1.1 million in losses for the 9 months to March 31. Net losses of $231 million and $445 million were reported for the 3- and 9-month periods due to improved investment returns. CommonSpirit said the ransomware attack did not have any impact on the current quarter’s operating results. 

The ransomware attack was initially estimated to cost around $150 million, but a further $10 million in costs has been added to that figure. The increased cost factors in lost revenues due to business interruption, costs incurred remediating the ransomware attack, and other business-related expenses. In a call with investors, CommonSpirit explained that most of the $160 million is expected to be recovered from underwriters, although recovery of the costs is expected to take some time. CommonSpirit also confirmed in its quarterly report that it is facing a class action lawsuit over the ransomware attack and data breach. The lawsuit was filed in December 2022 in the U.S. District Court for the Northern District of Illinois and alleges negligence due to the failure to implement reasonable and appropriate security measures to protect patient data. The lawsuit seeks damages for the plaintiff and class exceeding $5 million, injunctive relief and legal costs. 

June 1, 2023

Topic Area: Maintenance and Operations , Security

Recent Posts

3 Ways Technology Can Benefit Facilities Teams

By investing in people supported by innovative technology, facilities will be better equipped to meet evolving challenges.

36th Annual Healthcare Facilities Symposium and Expo Held

The show was held in Charlotte, North Carolina.

Florida Hospital Experiences Two Power Outages in Less Than 24 Hours

Facilities management can mitigate potential outages through training and planning. 

Unique Facility Combines Housing and Healthcare

CCC Blackburn Center gives about 3,000 patients per year access to employment services, housing placement, and complementary clinic services.

KnowBe4 Releases Figures Concerning Healthcare Cyberattacks

The U.S. healthcare industry has become a top target for cyberattacks over the past several years.


FREE Newsletter Signup Form

News & Updates | Webcast Alerts
Building Technologies | & More!


All fields are required. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Healthcare Facilities Today membership includes free email newsletters from our facility-industry brands.

Facebook   Twitter   LinkedIn   Posts

Copyright © 2023 TradePress. All rights reserved.