More than 100 current and former CommonSpirit facilities in 13 states might have been affected by the recent ransomware attack on the health system, CommonSpirit said late last week.
The disclosure paints a fuller picture of the scope of the sweeping data breach, which compromised the protected health information of almost 624,000 people late last year.
Previously, the Illinois-based nonprofit has said data from just two organizations in Washington and Texas might have been compromised by the attack.
CommonSpirit — one of the largest health systems in the U.S. — first detected a ransomware attack on its IT network in early October. An investigation found an unauthorized third party gained access to the network between Sept. 16 and Oct. 3.
The hacker didn’t gain entry to CommonSpirit’s electronic health record, but did obtain copies of some of the data in its systems — including files from two file share servers containing individuals’ data spanning several years, CommonSpirit said Thursday.
The data included demographics such as name, address and date of birth, along with medical information like dates of service, medical record number, provider name, diagnosis and treatment information and health insurance information.
CommonSpirit began notifying those impacted by the file share server data breach on April 6. The system said there is no evidence the data has been misused.
In previous disclosures, CommonSpirit only shared that St. Luke’s Diagnostic Heart Center in Houston, Texas, and Seattle-based Virginia Mason Franciscan Health may have been affected by the ransomware attack.
Yet CommonSpirit has now shared dozens of owned and affiliated facilities whose data was potentially included in the ransomware attack.
The CommonSpirit facilities potentially affected include 21 organizations in Texas, 14 in Nebraska, 14 in North Dakota, 13 in Kentucky, 10 in Washington state, six in Arkansas, six in Minnesota, five in Tennessee, five in Ohio, four in Oregon, three in Georgia, three in Iowa and one in Pennsylvania.
The breach also impacted 45 CHI Health at Home organizations, including home infusion providers and hospice and palliative care companies, and eight associated and former CommonSpirit facilities in Colorado, Kansas, Kentucky, Iowa, New Jersey and Pennsylvania.
The breach interrupted access to medical records and delayed patient care in multiple regions late last year. It took CommonSpirit more than a month to return to normal operations.
The healthcare sector is a popular attack target for cybercriminals due to the reams of sensitive personal information it contains, along with outdated and underfunded cybersecurity measures. Healthcare organizations are particularly susceptible to attacks as the systems of hospitals and payers move increasingly online, causing breaches to skyrocket in recent years.