CommonSpirit: Patients' Data Breached in Ransomware Attack7 Hospitals Affected by Breaches So Far; CommonSpirit Is Still Reviewing Data Files
Patients of at least seven hospitals in Washington state affiliated with CommonSpirit have been affected by a data breach involving the hospital chain's October ransomware incident.
Even more hospitals and their patients might also be among those affected by breaches as the Chicago-based medical giant continues to investigate the incident and review files compromised in the attack.
In a Thursday statement, CommonSpirit says data files from seven hospitals - collectively called Virginia Mason Franciscan Health, an affiliated entity of CommonSpirit - were compromised in the ransomware incident that was detected on Oct. 2.
CommonSpirit says its investigation determined that an unauthorized third party gained access to certain portions of the organization's network between Sept. 16 and Oct. 3. "During that time, the unauthorized third party may have gained access to certain files, including files that contained personal information."
The seven hospitals are St. Michael Medical Center, St. Anne Hospital, St. Anthony Hospital, St. Clare Hospital, St. Elizabeth Hospital, St. Francis Hospital and St. Joseph Hospital.
CommonSpirit did not immediately respond to Information Security Media Group's request for additional information, including the total number of Virginia Mason Franciscan Health patients affected.
As of Wednesday, the U.S. Department of Health and Human Services' HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals did not yet show any breach reports posted involving the CommonSpirit incident.
That includes no breach reports from Des Moines, Iowa-based MercyOne, which was also affected by the CommonSpirit ransomware incident. MercyOne was previously jointly owned by CommonSpirit and Michigan-based Trinity Health before being acquired by Trinity Health this year.
MercyOne still uses CommonSpirit's IT systems, and the Iowa-based entity's electronic health records access and other application functionality were affected for several weeks following the ransomware incident.
A MercyOne spokeswoman tells ISMG that its IT systems are back online but says to direct questions to CommonSpirit about whether MercyOne will report a breach involving the ransomware attack.
"We're not able to expand on those points at this time," a CommonSpirit spokesman tells ISMG.
MercyOne will transition away from CommonSpirit's IT systems and onto Trinity Health's platforms in March, the MercyOne spokeswoman tells ISMG.
Trinity Health did not immediately respond to ISMG's request for comment.
CommonSpirit Health is the product of a 2019 merger between Catholic Health Initiatives and Dignity Health.
Mergers and acquisitions in the healthcare sector are common, but they come with a variety of risks, says Steve Cagle, CEO of privacy and security consultancy Clearwater, which completed its own acquisition this year of consulting firm CynergisTek.
He says that in the pre- and post-acquisition stages, we need to think about "our strategy for assessing and managing IT security risk."
Prior to an acquisition, thorough due diligence of IT security risk is essential, Cagle says. And post-acquisition, "you really need to be thinking of governance … and how your security program throughout that integration is going to drive the business objectives that are driving the acquisition in the first place."