Cyber Incident Victim: CommonSpirit Health
Date:
Oct 2022
Location:
United States of America
Summary
CommonSpirit Health experienced a ransomware attack that disrupted operations across multiple facilities, prompting the organization to take electronic health records and patient portals offline as a precaution. The incident caused appointment rescheduling and service interruptions, though most markets later regained EHR access and partial patient portal functionality for medical history review. The healthcare provider engaged cybersecurity specialists and law enforcement while conducting a forensic investigation to determine potential data compromise. Continuity protocols were activated to maintain patient care, with certain subsidiaries remaining unaffected by the attack throughout the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
CommonSpirit Health, the second-largest nonprofit U.S. hospital chain operating over 700 care sites and 142 hospitals across 21 states, confirmed an IT security disruption beginning in early October 2022. The organization publicly acknowledged the incident on October 4, subsequently describing it as a ransomware attack that forced certain systems offline as a containment measure. Electronic health records (EHR), patient portals, and appointment scheduling systems were intentionally disabled at impacted facilities, causing operational disruptions that required rescheduling patient appointments through direct provider contact. Specific subsidiaries affected included CHI Health in Nebraska, where Omaha hospitals experienced outages, and MercyOne Des Moines Medical Center, which lost EHR access. CommonSpirit implemented existing outage protocols to maintain clinical operations through alternative documentation methods while emphasizing continuity of care as its highest priority. The organization declined to confirm whether patient data was compromised during initial statements, with spokesperson Chad Burns restricting commentary to official updates.
Upon detecting the ransomware attack, CommonSpirit mobilized incident response teams to isolate systems, initiate forensic investigations, and engage external cybersecurity specialists alongside law enforcement notifications. By November 9, restoration efforts had reinstated EHR access for providers in most markets across hospitals and clinics, while patient portals regained medical history review functionality though appointment scheduling features remained partially unavailable. Facilities operated by Dignity Health, Virginia Mason Medical Center, TriHealth, and Centura Health were explicitly excluded from operational impacts. CommonSpirit established a dedicated webpage for status updates, confirming ongoing forensic work to determine potential data compromise while maintaining that clinic and patient care systems at unaffected subsidiaries operated normally. The organization acknowledged service disruptions caused patient inconvenience without specifying total appointment reschedules or duration of system outages, instead highlighting staff efforts to mitigate care delivery impacts through manual protocols during recovery phases.