Cyber Incident Victim: CommonSpirit Health
Date:
Aug 2019
Location:
United States of America
Summary
A ransomware attack targeted an orthopedic clinic's electronic health records database at CHI Health, locking providers out of the system and potentially compromising protected patient information. The compromised database contained older records from individuals treated before mid-2016, including names, birth dates, Social Security numbers, contact details, addresses, and medical data. While no evidence emerged indicating misuse of the exposed information, the organization offered affected patients complimentary credit monitoring and identity protection services for one year as a precautionary measure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On August 1, 2019, CHI Health Lakeside Hospital in Omaha, Nebraska, discovered a ransomware attack that had locked access to an electronic health record database. The attack specifically targeted the hospital's orthopedic clinic and compromised an older records system containing patient information from before April 2016. Hospital officials determined the ransomware encrypted data that included patient names, dates of birth, Social Security numbers, phone numbers, addresses, and medical information. The incident did not affect current EHR systems or records created after the April 2016 cutoff date. CHI Health publicly disclosed the breach on September 27 through an announcement reported by local media.
The hospital confirmed the attack only impacted historical orthopedic clinic records, limiting the scope to patients treated at that specific facility prior to the system transition in 2016. While investigators found no evidence of actual misuse or theft of patient data, CHI Health offered affected individuals one year of complimentary credit monitoring and identity protection services as a precautionary measure. No operational disruptions to current medical services or modern EHR systems were reported. The organization maintained that the compromised database had been functionally isolated due to its legacy status within their infrastructure. Forensic analysis did not reveal additional system compromises beyond the identified orthopedic records repository.