Cyber Incident Victim: CHRISTUS Health

On July 1, 2022, CHRISTUS Spohn Health System Corporation filed a data breach notice with the U.S. Department of Health and Human Services Office for Civil Rights following a ransomware attack attributed to the AvosLocker group. The health system detected early signs of unauthorized activity on its computer systems and halted the intrusion before it disrupted patient care or clinical operations. CHRISTUS engaged cybersecurity professionals to investigate the incident but did not publicly disclose technical details about the attack vector or duration of system access. AvosLocker, a ransomware-as-a-service group active since July 2021, claimed responsibility for the breach and posted samples of stolen protected health information on dark web forums. The organization's breach notification estimated 15,062 individuals were affected, though CHRISTUS did not release specific details about compromised data types or the full scope of exfiltrated records.

The breach exposed protected health information containing patient identifiers such as names, Social Security numbers, and addresses, enabling potential linkage to medical histories and payment methods. AvosLocker's business model involved affiliates conducting ransomware attacks worldwide, with the group claiming over 50 prior incidents. CHRISTUS Spohn Health System, a Texas-based nonprofit operating 600 facilities across multiple health ministries, maintained normal operations during the incident response. Secondary reports indicated the stolen data could enable medical identity theft, where threat actors might fraudulently obtain treatment under victims' identities, potentially corrupting medical records with inaccurate allergy or medication information. The organization did not confirm whether ransomware payments were made or specify containment measures beyond initial detection and investigation efforts.