CommonSpirit Health patients affected by ransomware breach

A ransomware attack at a subcontractor of a healthcare consulting firm exposed patient data linked to the Catholic health system CommonSpirit Health.

What happened

CommonSpirit Health disclosed that a ransomware attack on a vendor within its extended supplier chain exposed data connected to patients served by the health system. According to the breach notice, the incident occurred at Pinnacle Holdings Ltd., a vendor used by healthcare consulting firm NorthGauge Healthcare Advisors, which itself works with CommonSpirit Health. Attackers had access to Pinnacle’s network from November 11 to November 25, 2024, during which time files were exfiltrated before the intrusion was detected and the network was isolated. Pinnacle engaged a third-party firm to review the compromised files and informed NorthGauge about the breach in November 2025. NorthGauge confirmed the identities of affected individuals on January 30, 2026, and notified CommonSpirit Health about impacted Washington residents on February 2, 2026. A breach notice filed with the Washington Attorney General indicates that 19,027 Washington residents were affected, though the full geographic scope remains unclear because the incident has not yet appeared on the U.S. Department of Health and Human Services Office for Civil Rights breach portal.

Going deeper

The incident demonstrates how ransomware attacks affecting subcontractors can cascade across healthcare vendor relationships. In this case, Pinnacle was not directly contracted by CommonSpirit Health however they worked as a vendor for NorthGauge Healthcare Advisors, which provides consulting services connected to the health system. Such layered vendor relationships can complicate breach detection and notification timelines, particularly when data flows through multiple organizations before reaching healthcare providers. The delay between the intrusion in November 2024 and confirmation of affected individuals in early 2026 also illustrates how forensic review of stolen data can take months, especially when attackers exfiltrate large file sets that must be examined individually to determine whether protected health information was involved.

What was said

NorthGauge Healthcare Advisors stated in its breach notice to the Washington Attorney General that Pinnacle “immediately isolated its network when the attack was detected and has since implemented additional security measures to prevent similar incidents in the future.” The notice also explained that Pinnacle maintained “strict policies and procedures in place concerning data retention and data destruction,” which limited the amount of data exposed during the incident.

In the know

In 2022, CommonSpirit Health also suffered another ransomware attack that disrupted hospital operations and exposed patient data. According to reporting by BankInfoSecurity, attackers accessed parts of the health system’s network between September 16 and October 3, 2022, and investigators later determined that the intruders “may have gained access to certain files, including files that contained personal information.” The breach ultimately affected about 623,000 individuals and forced several hospitals to take systems offline, disrupting electronic health records and delaying care while the organization worked to restore operations.

The big picture

The CommonSpirit incident shows how ransomware risk sits inside intricate vendor ecosystems rather than within a single healthcare organization. A Paubox analysis found that many organizations “are unaware of every third-party vendor touching their data,” which allows exposure to remain “invisible until a breach occurs.” When multiple contractors and subcontractors handle protected health information, oversight becomes more difficult, and detection delays become more likely. Paubox also notes that large healthcare systems operate across “hundreds of applications and sprawling third-party ecosystems,” creating gaps in monitoring and accountability if access controls, retention policies, and breach notification responsibilities are not consistently enforced across every partner. In incidents like the one involving Pinnacle, the challenge extends beyond the initial ransomware intrusion to understanding who accessed patient data, how long that access persisted, and how quickly downstream vendors reported the breach once it was discovered.

FAQs

Why do vendor breaches affect healthcare providers that were not directly attacked?

Healthcare organizations frequently share data with consultants, billing providers, and technology vendors. When those partners experience breaches, the healthcare organizations connected to the data may also be required to notify patients.

What is data exfiltration in a ransomware incident?

Data exfiltration occurs when attackers copy files out of a compromised network. Modern ransomware groups often steal data before encrypting systems so they can threaten to publish the information if a ransom is not paid.

Why did the breach take more than a year to notify affected individuals?

After ransomware incidents, organizations must conduct forensic reviews to determine exactly what files were accessed and whose information was involved. The process can take months when large volumes of data are stolen.

What part do business associates play in healthcare data protection?

Under HIPAA, business associates are organizations that handle protected health information on behalf of healthcare providers or insurers. They must implement security safeguards and report breaches affecting that data.

Could patients outside Washington also be affected?

The breach notice referenced only Washington residents because it was filed with that state’s attorney general. Additional patients could be affected if the compromised files contained data belonging to individuals in other states.