A major cyberattack and IT outage are causing considerable disruption at one of the largest healthcare systems in the United States – CommonSpirit Health. CommonSpirit Health is the largest Catholic health system in the United States and the country’s second-largest nonprofit health system. The health system operates more than 1,000 healthcare facilities in 21 states, including 140 hospitals.
Disaster struck on October 3, 2022, when the Chicago-based health system’s network was breached. Four days on and the health system is still facing disruption, with employees forced to operate under emergency procedures and use pen and paper to record patient information.
CommonSpirit Health issued a statement on October 4, 2022, confirming it is dealing with an “IT Security Issue,” with a brief update issued on October 4 – “CommonSpirit Health has identified an IT security issue that is impacting some of our facilities. We have taken certain systems offline. We are continuing to investigate this issue and follow existing protocols for system outages. We are grateful to our staff and physicians, who are doing everything possible to minimize the impact to our patients. We take our responsibility to our patients very seriously and apologize for any inconvenience.”
Few details have been released at this stage on the exact nature of the incident, which is typical at such an early stage of an investigation into a cyberattack. Consequently, the extent to which IT systems have been impacted and the nature and scope of the attack are unknown, such as whether the attackers gained access to patient data. CommonSpirit Health serves around 21 million patients each year, so if a data breach has occurred, it has the potential to be a major privacy breach.
Several hospitals in Nebraska, Illinois, Tennessee, and Washington have confirmed that they do not have access to certain IT systems, with some taking the decision to postpone appointments, and at least one choosing to temporarily divert ambulances to other healthcare facilities out of patient safety concerns.
While not confirmed by CommonSpirit Health, some security researchers have suggested that this was a ransomware attack, including security researcher Kevin Beaumont, who suggests that based on the IR chatter he has seen, this is certainly a ransomware attack. A ransomware attack would not be a surprise, given the extent to which the healthcare industry in the United States has been targeted. The cybersecurity firm Emsisoft reports that there have been at least 15 attacks on U.S. health systems in 2022, which have affected at least 61 hospitals.