American healthcare system CommonSpirit Health recently confirmed that threat operators accessed personal data belonging to 623,774 patients in a targeted ransomware attack that occurred back in October.

This number of patients impacted was published recently on the dedicated breach portal of the US Department of Health, where healthcare organisations are obligated by law to report any data breaches that affect upward of 500 people.

A ransomware attack revealed

At the beginning of October, the non-profit system CommonSpirit Health first informed members of the public of a malicious cyberattack that effectively took down its dedicated IT systems.

Based in Chicago, Illinois, CommonSpirit Health is currently the United States’ second largest health system. According to recent figures it presently operates 140 hospitals and more than 1,000 care sites over 21 different states. As a result, it makes for an attractive target for ransomware operators as any disruption to an operation of such magnitude has the potential for widespread impact.

Ransomware gangs select victims like healthcare providers and organisations that supply critical services and hold sensitive data on customers and patients. The more confidential the data held by an organisation is, the far more likely it is to pay a ransom to protect data subjects whose information is compromised. Additionally, when vital services cannot be accessed during a ransomware attack, providers are also encouraged to pay any demand requested and resume their normal operations.

On December 1 this year, the organisation published the most up-to-date results of its recently conducted internal investigation of the security incident. For the first time, CommonSpirit Health admitted that the ransomware actors had manged to access patient data during their intrusion.

The announcement from the US health system read:


“Our ongoing investigation shows that the unauthorised third party gained access to certain files, including files that contained personal information. While our review of these files is ongoing, we identified that some of these files contained personal information for individuals who may have received services in the past, or affiliates of those individuals, from Franciscan Medical Group and/or Franciscan Health in Washington state.”

Data compromised during the healthcare system ransomware attack

A wide range of personal data was exposed during the September to October attack on CommonSpirit Health. It included full names, dates of birth, home addresses, phone numbers, along with a unique ID only used internally by the healthcare organisation. The US health system clarified that medical record numbers and insurance IDs could not have been accessible to the ransomware operators.

CommonSpirit Health has now promised to contact all affected individuals with breach notifications but has not disclosed the number of patients impacted at this time.

In the recent notification issued to impacted individuals, the organisation said the data was exposed from September 16 to October 3 this year, which is the period during which the threat actors maintained unauthorised access to the CommonSpirit Health network.

At present, the organisation has not disclosed the specific ransomware gang behind the attack, and no threat operator has yet claimed responsibility.