CommonSpirit Health has confirmed that threat actors accessed the personal data of 623,774 patients in a ransomware attack in October.
This figure was published today on the US Department of Health’s Data Breaches Portal, where healthcare organizations are legally required to report data breaches affecting more than 500 people.
In early October, the Illinois-based nonprofit healthcare system first informed the public of a cyberattack that destroyed its computer systems.
CommonSpirit Health is the second-largest healthcare system in the United States, operating 140 hospitals and more than 1,000 care sites in 21 states, so any disruption to its operation has the potential for widespread impact.
On December 1, 2022, the organization released the latest results of its internal investigation into the security incident, admitting that the ransomware actors had accessed patient data for the first time.
“Our ongoing investigation shows that the unauthorized third party had access to certain files, including files containing personal information,” read the ad.
The type of data that has been compromised includes:
- Full name,
- telephone numbers),
- Date of Birth,
- and a unique identifier used only internally by the organization
The company clarified that insurance IDs and medical record numbers could not have been exposed to ransomware actors.
The organization promised to contact everyone affected with notifications, but did not disclose the number of patients affected at the time.
In the notification sent to data subjects, the company said the data was exposed from September 16 to October 3, 2022, during which time ransomware actors maintained unauthorized access to CommonSpirit Health’s network.
Currently, CommonSpirit Health has not disclosed the ransomware group that carried out the attack, and no criminal operation has claimed responsibility.