One year ago, on Oct. 2, 2022, Chicago-based CommonSpirit Health detected a ransomware attack on its IT network.
The fallout led to ambulances being diverted and patients being turned away from appointments and an estimated $160 million in costs for the 143-hospital system.
Initially, health system officials scrambled to contain the attack, taking IT systems offline and switching to paper records. Appointments and surgeries had to be canceled. CommonSpirit didn't publicly disclose it had been a victim of ransomware until 10 days later, on Oct. 12. It took several weeks to bring EHRs back online.
While hackers didn't obtain data directly from CommonSpirit EHRs, they copied individuals' information from two file-share servers, the health system said. It took CommonSpirit more than five months to determine what data was affected, requiring a "time-consuming review of each individual file on each file server."
The affected data included personal identifying information, including Social Security numbers for a small number of people, and diagnosis and treatment information.
Dozens of hospitals across 13 states, and hundreds of thousands of patients, were affected. The Catholic health system estimated a $160 million loss from the cyberattack, but still doesn't know how much will be recovered by insurance. Like other health systems involved in cyberattacks, CommonSpirit has faced several class-action lawsuits over the event.
"There can be no assurance that the resolution of this matter will not affect the financial condition or operation of CommonSpirit, taken as a whole," the health system said in an annual report published Sept. 21.
Meanwhile, ransomware attacks continue at hospitals and health systems around the country, though one cybersecurity firm noted that it may be hard for 2023's numbers to overtake 2022 because of the breadth of the CommonSpirit attack. Healthcare data breaches overall, however, are up. CommonSpirit was even caught up in what may be this year's largest hack (though not directly).