CommonSpirit Health is dealing with a data security incident that has impacted a lot of its healthcare services. Based on an October 4, 2022 statement released by the health system, IT systems were inaccessible online as a safety measure while investigating the incident to know the particular nature and extent of the incident. A short update was given on October 5, 2022 stating that the IT security incident continues to impact a number of its services. Hospital staff is following emergency protocols and are using pen and paper to log patient details as IT systems remain inaccessible.
On October 3, 2022, CommonSpirit Health discovered the incident, however, there is little information published at this time concerning the precise nature of the incident. The health system is doing what is necessary to reduce the effect on its patients. Because certain IT systems are inaccessible, some appointments were rescheduled while mitigating the security incident. A number of patients have remarked that they cannot book new appointments.
CommonSpirit Health in Chicago, IL is the biggest catholic health system located in the U.S. and the second biggest non-profit U.S. health system. It was a merger of Dignity Health of California and Catholic Health Initiatives (CHI Health) of Colorado that took place in 2019. CommonSpirit Health manages 142 hospitals and roughly 1,500 care centers in 21 states, has about 150,000 workers which include 25,000 doctors and attends to over 21 million patients annually. Around 1 in 4 Americans access CommonSpirit Health’s hospitals and healthcare facilities.
A number of CHI Health facilities located in Nebraska have affirmed that they are encountering blackouts due to the incident. MercyOne Des Moines Medical Center located in Iowa has likewise been impacted, and so ambulances were diverted for a short time period. The incident is additionally found to have impacted hospitals located in Washington and Tennessee.
Reports from patients claimed that the Epic Systems MyChart tool was impacted, though a representative of the EHR provider mentioned that only CommonSpirit Health is experiencing the problems. It ought to be mentioned that it is common to take the EHR system offline whenever cyberattacks are discovered. It doesn’t necessarily mean that unauthorized individuals accessed the EHR system.
It’s still too early to say to what extent, if any, patient data was impacted or what is the specific nature of the attack; nevertheless, security researcher Kevin Beaumont tweeted that based on the incident response chat, it was likely a ransomware attack.
CommonSpirit Health will publish additional information concerning the incident as the investigation moves along.