CommonSpirit and media reports disclosed some facilities and states affected at the time of the breach, but the full extent was unknown until now. Crain’s previously reported that facilities in Iowa, Nebraska, Tennessee and Washington were among those affected. But according to CommonSpirit’s disclosure, facilities and services in Arkansas, Georgia, Indiana, Kansas, Kentucky, Minnesota, New Jersey, North Dakota, Ohio, Oregon, Pennsylvania and Texas were also included.
Although CommonSpirit is headquartered in Chicago, it doesn’t have any hospitals in Illinois. The health system is the parent organization of Catholic Health Initiatives, Dignity Health, and is or has been associated with Centura Health and MercyOne, facilities of which were among those in the breach. Altogether, CommonSpirit operates about 140 hospitals and 1,000 sites of care across more than 20 states.
According to CommonSpirit’s most recent quarterly financial statement, the data breach cost the organization about $150 million, which includes lost revenues from the interruption to business and costs to remedy the issue.
Download Modern Healthcare’s app to stay informed when industry news breaks.
Information leaked during the breach includes names, addresses, birthdays, contact information and medical information. Additionally, billing information and social security numbers were also involved. In a statement, CommonSpirit said it has no evidence that personal information leaked is being misused.
“Though CommonSpirit has no evidence that the information has been misused as a result of this event, it is always prudent to review health care statements for accuracy and report any services or charges that were not incurred to the provider or insurance carrier,” the health system said.
CommonSpirit began notifying impacted individuals at each facility by mail on April 6. The U.S. Department of Health & Human Services' Office for Civil Rights reported that more than 623,700 people are affected.
CommonSpirit did not immediately respond to a request seeking further comment today.
CommonSpirit first reported the breach in early October, saying at the time that it was dealing with an IT security issue that was disrupting operations at some of its facilities. About a week later, the health system confirmed it was the victim of a cyberattack and was forced to take patient portals and some electronic health records offline.
Following the data breach, CommonSpirit tapped the help of cybersecurity specialists and notified law enforcement of the cyberattack. The cyberattack wasn't resolved until a month later, when CommonSpirit said it had reinstated most electronic health records at its hospitals and care sites.
In January, CommonSpirit was hit with a proposed class-action lawsuit over the data breach, which alleged that the health system was negligent in protecting patients from the threat of cyberattacks. In March, CommonSpirit filed a motion to dismiss the suit, according to court records.