CommonSpirit Health reported that it incurred $150 million in losses following an October 2022 ransomware attack. The health system and nonprofit hospital chain suffered weeks of outages at some sites across the United States following the breach, with the full scale of the attack not being realized until months after the event.
The attack led to disruption for patients and staff, and to a class-action suit that alleged negligence on behalf of the firm led to vulnerabilities that the hackers exploited in gaining access to confidential patient records.
The Background
In early October 2022, hospitals and clinics owned by CommonSpirit Health across the U.S. reported issues with their computer systems. These included outages, appointment cancellations and downtime for their electronic health record systems. At first, the company referred to the disruption as an “IT incident,” but it quickly became clear that it was, in fact, a ransomware attack.
The business took many of its systems offline in order to contain the breach and continue to provide care to its many patients around the country. Although some sites were not affected, others were without fully functioning patient portals and payroll platforms for weeks following the incident, in which it was found that the data of 623,774 individuals had been compromised.
More than 100 sites in 13 states suffered from hackers accessing demographic data (such as names, addresses and dates of birth), medical information, and billing and insurance information details.
The company’s financial report said that “upon discovering the attack, CommonSpirit took immediate steps to protect its IT systems, contain the incident, begin an investigation, and maintain continuity of care.”
How it Affected Patients
Patients could not access items that they relied on the clinics for during the downtime. One individual reported not being able to reorder sensors for his continuous glucose monitor. This meant he had to carry out painful manual tests instead.
Others found chaotic scenes in clinics, with staff not knowing who was due to arrive for appointments and subsequently sending patients to urgent care because they couldn’t schedule them in on site.
Reports at the time show that it took more than two weeks for the company to bring back access to electronic health records at some sites.
Fallout From the Incident
In its quarterly financial report, CommonSpirit admitted the ransomware attack had caused “an estimated adverse financial impact of approximately $150 million to date, which includes lost revenues from the associated business interruption, the costs incurred to remediate the issues and other business expenses, and is exclusive of any potential insurance related recoveries.”
Indeed, that figure could rise if the company is found to be noncompliant with stringent regulations in the health industry.
CommonSpirit network hospital patient Leeroy Perkins filed a class-action lawsuit against the firm on December 29 in the U.S. District Court for the Northern District of Illinois. It stated that the company “owed a duty” to its patients to “exercise reasonable care” with their personal data and that it did not meet industry standards with its protections.
Perkins is seeking damages of more than $5 million for himself and others, as well as compelling CommonSpirit to adopt stronger data protection practices.
What We Can Learn
Ransomware is not just something that hits big faceless corporations in the pocket. When targeted at industries such as healthcare, it can endanger the lives of patients, causing disruption and anguish at the implications of their data being compromised.
Companies must work to avoid these bad actors getting into their systems. They can achieve this by training workers on their responsibilities and the potential results of their actions. Another way to eradicate vulnerabilities is to continuously monitor networks for shadow IT and other potential gateways for hackers.
Vaultry monitors all devices on your network for programs that shouldn’t be there. This means that you can eradicate them as soon as you spot them, getting there before the hackers do. To protect your business, get started with Vaultry today.
