CommonSpirit Health is experiencing a data security incident that has affected many of its healthcare facilities. According to a statement issued by the health system on October 4, 2022, IT systems have been taken offline as a precautionary step while the incident is investigated, and the exact nature and scope of the incident is determined. A brief update was issued on Wednesday, October 5, 2022, confirming the IT security incident was still impacting some of its facilities and that staff members were operating under its tried and tested emergency protocols and are using pen and paper to record patient information while IT systems are offline.
The incident was detected on October 3, 2022, but little information has been released at this stage about the exact nature of the incident. CommonSpirit Health said it is doing everything possible to minimize the impact on its patients. Without access to certain IT systems, the decision has been taken to reschedule some appointments while the security incident is mitigated. Some patients have reported that it has not been possible to make new appointments.
Chicago, IL-based CommonSpirit Health is the largest catholic health system in the United States and the second largest non-profit U.S. health system. It was formed in 2019 by the merger of Catholic Health Initiatives (CHI Health) of Colorado and Dignity Health of California. CommonSpirit Health operates 142 hospitals and approximately 1,500 care facilities in 21 states, has around 150,000 employees including 25,000 physicians, and serves more than 21 million patients a year. CommonSpirit Health’s hospitals and healthcare facilities are accessible to around 1 in 4 Americans.
Several CHI Health facilities in Nebraska have confirmed that they are experiencing outages as a result of the incident. MercyOne Des Moines Medical Center in Iowa has also been affected, and the decision was taken to divert ambulances for a short period of time. The incident is also known to have affected hospitals in Tennessee and Washington.
Reports have been received from patients claiming the MyChart tool from Epic Systems has been affected, although a spokesperson for the EHR provider said the issues are only being experienced by CommonSpirit Health. It should be noted that the decision to take the EHR system offline is common when cyberattacks are detected and does not mean the EHR system has been subjected to unauthorized access.
At such an early stage of the investigation it is unclear to what extent, if any, patient information has been affected and the exact nature of the attack has also not been disclosed; however, security researcher Kevin Beaumont said on Twitter that the incident response chatter indicates this was a ransomware attack, which would explain the widespread impact of the incident.
“Cyber incidents targeting the healthcare industry are increasing in frequency, severity, and cost, with significant adverse impacts on patient services and privacy. In 2022, data breaches of healthcare organizations with at least 500 victims are up 78%, with the average breach costing $10 million,” Eoghan Casey, VP of Cybersecurity Strategy & Product Development at OwnBackup, explained to HIPAA Journal.”The CommonSpirit Health cyberattack is just the latest incident that demonstrates the need for healthcare CIOs and CISOs to implement solutions to proactively protect and rapidly restore mission-critical data. Doing this will help secure patient data and mitigate the risks of future attacks, ultimately preventing costly disruptions to operations and the ability to care for patients.”
Further information about the incident will be released by CommonSpirit Health as the investigation progresses, and this article will be updated as further information becomes available.
The post CommonSpirit Health Experiencing Widespread Outage Due to Cyberattack appeared first on HIPAA Journal.