CommonSpirit Update: Hackers Accessed Files Through Franciscan Medical Group | Healthcare Innovation

On Dec. 1, CommonSpirit Health updated its website regarding its October ransomware attack. The ongoing investigation has found that an unauthorized third party accessed files that include personal information from one if its affiliates, Seattle-based Franciscan Medical Group and/or Franciscan Health in Washington state.

The website adds that “CommonSpirit Health has no evidence that any personal information has been misused as a result of the incident. We are notifying individuals whose personal information was in those files.”

In the FAQ section of CommonSpirit’s website regarding which hospitals/locations were affected, it says that “While a review of the impacted files is ongoing, CommonSpirit identified that some of this data was associated with services provided in the past by Franciscan Medical Group and/or Franciscan Health in Washington state. The data in the files related to patients, family members or caregivers of patients that may have been seen at Washington state locations including:  St. Joseph Hospital (Tacoma), St. Francis Hospital (Federal Way), St. Elizabeth Hospital (Enumclaw), St. Clare Hospital (Lakewood), St. Anthony Hospital (Gig Harbor), St. Anne Hospital, formerly Highline Hospital (Burien), St. Michael Medical Center, formerly Harrison Hospital (Bremerton & Silverdale), and physician clinics associated with Franciscan Health. Franciscan Health is now part of Virginia Mason Franciscan Health.”

In October, we reported that “Chicago-based CommonSpirit Health, which has 140 hospitals across 21 states and more than 1,000 facilities, has been experiencing an ‘IT security issue,’ as mainstream media outlets have been reporting. Journalists began reporting the incident on Monday, Oct. 3, and updated information categorizes the incident as a ransomware attack. CommonSpirit is the second-largest nonprofit health system in the U.S.”

In that same article, Healthcare Innovation had the pleasure of speaking with with cybersecurity expert and former Stanford Children’s Health CISO Chad Wilson, to get his perspective on the incident. “In this country, we don’t incentivize securing medical records,” he comments. “Everyone is not adhering to the same standard in the country and that’s a legal challenge. We might hear about an incident at one large health care organization today. And tomorrow, it might be a smaller one that you don’t hear about, but these incidents still have tremendous impact.”

On Nov. 10, we reported on an update regarding the ransomware attack. We reported that “Chicago-based CommonSpirit Health updated its website with a statement on Nov. 9 regarding its recent ransomware attack. The organization says that providers in the majority of markets now have access to their EHRs across the CommonSpirit Health system, including at hospitals and clinics.”

Moreover, “The statement adds that the majority of patients can now receive their medical histories through the patient portal. The organization is working to restore appointment scheduling functionality to the portal in cases where that feature exists and, in the meantime, patients should directly contact their provider’s office to schedule appointments.”