CommonSpirit Health Cybersecurity Incident Forces IT Systems Offline
CommonSpirit hospitals in Nebraska, Iowa, and Washington have taken certain IT systems offline, including electronic health records (EHR).
A cybersecurity incident continues to impact Chicago-based CommonSpirit Health, the second-largest nonprofit hospital chain in the United States.
An Oct. 4 statement said the network was managing “an IT security issue” that was impacting some of its facilities. CommonSpirit is a 21-state network consisting of more than 1,500 healthcare sites and 150,000 employees.
“As a precautionary step, we have taken certain IT systems offline, which may include electronic health record (EHR) and other systems. Our facilities are following existing protocols for system outages and taking steps to minimize the disruption,” the statement continued. “We take our responsibility to ensure the security of our IT systems very seriously. As a result of this issue, we have rescheduled some patient appointments.”
The network has yet to confirm the nature of the security incident and it is not known if patient information or health data was compromised, according to TechCrunch.
CommonSpirit hospitals in at least three states have taken their EHRs offline. Nebraska-based CHI Health reported outages across its Omaha hospitals. A notice posted on its site says the organization has canceled, delayed, or rescheduled some patient appointments and procedures. It also urges patients out of prescription refills to have their pharmacist directly contact their healthcare provider for written reauthorization. Iowa-based MercyOne Des Moines Medical Center took some of its IT systems offline, including its EHRs, and Washington-based Virginia Mason Franciscan Health shut down its EHRs and other IT systems at three hospitals.
In July, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigations (FBI), and the U.S. Department of Treasury warned North Korea-backed hackers were targeting healthcare and public health organizations with Maui ransomware. Also in July, the FBI and the Department of Justice (DOJ) announced it disrupted the activities of the hacking group and recovered $500,0000 in ransom payments and cryptocurrency.
Cybersecurity firm Sophos reported two-thirds of healthcare organizations it surveyed experienced a ransomware attack in 2021. So far in 2022, at least 15 U.S. health systems operating 61 hospitals have been impacted by ransomware, says Brett Callow, a threat analyst for digital security firm Emsisoft.