CommonSpirit operates 140 hospitals and more than 1,000 care sites across 21 states. Though CommonSpirit is headquartered in Chicago, it does not operate any hospitals in Illinois.
Facilities affected in the cyberattack include those in Iowa, Nebraska, Tennessee and Washington. The suit says there are at least 100 members in the proposed class, though the U.S. Department of Health & Human Services' Office for Civil Rights reports that more than 623,700 people were affected. CommonSpirit serves 20 million patients at its facilities across the country, according to the suit. HHS is now investigating CommonSpirit's breach.
The suit was filed Dec. 29 in U.S. district court for Northern Illinois by Leeroy Perkins, a Washington resident and patient at CommonSpirit's Virginia Mason Franciscan Health hospital in Seattle. Since the breach, Perkins said he has been required to spend valuable time monitoring his various accounts and changing passwords to protect his information. The suit seeks damages in excess of $5 million and injunctive relief for Perkins and all others similarly situated.
Attorneys for Perkins and a CommonSpirit representative did not immediately respond to a request for comment.
CommonSpirit first reported in early October that it was dealing with an IT security issue that was disrupting operations at some of its facilities. About a week later, the health system confirmed it was the victim of a cyberattack and was forced to take patient portals and some electronic health records offline.
Electronic health records are crucial to modern day hospital operations. They allow physicians, nurses and other caretakers to see patient history, scans, medication and other details about treatment plans.
The cyberattack wasn't resolved until a month later, when CommonSpirit said it had reinstated most EHRs at its hospitals and care sites. At the time, CommonSpirit said that upon discovering the ransomware attack, the organization mobilized to protect its systems while continuing to give care to patients.
Download Modern Healthcare’s app to stay informed when industry news breaks.
Health systems have increasingly become targets for cybercriminals. According to research from Protenus, a Baltimore health care compliance company, there were 905 reported health data breaches in 2021, up 19% from 758 the year before.
In Chicago, Duly Health & Care, formerly known as DuPage Medical Group, reported a data breach in 2021 that affected more than 600,000 patients. In 2019, Rush disclosed a data breach that exposed 45,000 people.
More recently, local health systems have also been dealing with patient data breaches after using internet tracking technologies from companies like Google and Facebook parent Meta, which help health systems collect details about how patients and others interact with their websites. Advocate Aurora Health, Northwestern Medicine and Rush System for Health have each been sued over the issue.
This story first appeared in Crain's Chicago Business.
