Updated December 14, 2022
More than 20 million patients have been victimized by a ransomware attack on CommonSpirit Health. This is the second largest healthcare data breach in history and is still unfolding more than a month after it was first reported. (The Anthem breach in 2015 affected almost 80 million patients.) At CommonSpirit, patients’ medical records have been compromised, EHR systems have been down and patient care has been affected.
CommonSpirit is the largest Catholic health system and the second-largest nonprofit hospital chain in the United States, operating 142 hospitals in 21 states, and more than 1,000 care sites including cancer clinics, surgery hubs and stroke centers. News reports have noted that the attack has affected health centers in Washington, Texas, Nebraska, Iowa, Michigan and Tennessee.
Ransomware Effects are Continuing
CommonSpirit first reported the cybersecurity incident on October 4. Its latest update was last week on November 9. The update noted that CommonSpirit is still working to return to normal operations after it was hit by a ransomware attack more than a month ago.
The November 9 statement also says:
“For the parts of our health system that have seen impacts on operations, we’re working diligently every day to bring systems online and restore full functionality as quickly and safely as possible. Providers in the majority of markets now have access to the electronic health record (EHR) across the CommonSpirit Health system, including at hospitals and clinics. In addition, most patients can again review their medical histories through the patient portal and we are working to restore appointment scheduling capabilities to the portal in cases where that feature exists. In the meantime, patients should contact their provider’s office directly to schedule an appointment.
CommonSpirit noted “our stakeholders may have questions about their data, and we continue to conduct a thorough forensics investigation and review of our systems – which, in part, seeks to determine if any data was impacted.” (italics added for emphasis)
There will likely be more updates from CommonSpirit because it’s clear that systems are not fully back online.
UPDATE: On December 1, 2022, CommonSpirit filed a breach report with the Office for Civil Rights (OCR) noting that the medical records of 623,774 patients have been compromised. Information compromised included names, addresses, phone numbers, birthdates, and a unique ID used only internally by the organization. This is the first OCR report from CommonSpirit since it announced the incident in October.
Those affected include patients who received services from seven hospitals in Washington state that are collectively part of Virginia Mason Franciscan Health, an affiliated entity of CommonSpirit.
Ransomware Affects Patient Care
Several CommonSpirit patients have spoken to NBC News which reported examples of dangerous and compromised patient care. In one incident a 3-year old boy being treated for tonsil pain in Iowa was given a substantial overdose of pain medication – fortunately he recovered. Cancer surgery was delayed for weeks for another CommonSpirit patient in Washington because the electronic scheduling system was down.
Omaha local TV station KMTV reported that Midwestern patients have experienced difficulties finding care at CommonSpirit hospitals in the Omaha metro region bordering Iowa.
Ransomware is a Presumed HIPAA Breach
A ransomware attack that encrypts protected health information (PHI) is presumed to be a HIPAA breach and must be reported to the Office for Civil Rights (OCR). However, if a covered entity does a breach risk assessment and can prove there was a low probability of compromise in spite of the ransomware, it is not a reportable breach. So far we have not seen an OCR breach report by any of the CommonSpirit health systems that have been publicly reported, e.g., Bergan Mercy Omaha, MercyOne Des Moines Medical Center, Seattle-based Virginia Mason Franciscan Health, etc. It may be that CommonSpirit’s ongoing investigation includes a breach risk assessment and a final decision hasn’t been made. Or, a report has been filed but hasn’t yet appeared on the OCR portal.
Whether the ransomware attack ultimately is a reportable HIPAA breach is of little consequence to the millions of patients who’ve been affected. Incorrect dosages and delayed care affect patients in the here and now. An OCR investigation and possible fines won’t change their experiences.
HIPAA Compliance is the Best Defense
Cyber crime continues to grow and healthcare systems remain targets. HIPAA compliance is the best way to reduce risk and preserve the security and integrity of patient data.
Do an annual Risk Analysis, train the workforce and stay up-to-date with cybersecurity protections. The HIPAA E-Tool® can help.