Talk to sales
Start for free

In October, we outlined what we knew about the CommonSpirit Health data breach. Last month, the health system confirmed that it was hit by a ransomware attack.

SEE ALSO: CommonSpirit Health says patient data was stolen during ransomware attack

CommonSpirit Health is Chicago-based but also one of the nation’s largest hospital systems. Ransomware attacks against such organizations are frequent for a variety of reasons including the value of protected health information (PHI).

Let’s explore the CommonSpirit breach further to demonstrate why HIPAA compliant email is vital within the healthcare industry.


CommonSpirit Health’s original breach notice


The health system confirmed an “IT security issue” in a short statement on October 4, 2022. Within, it stated that the breach impacted some of its facilities and that some patients had to reschedule appointments. Moreover, CommonSpirit took certain IT systems offline including its electronic health records (EHRs).

LEARN MORE: EMR or HER? What’s the difference?

The next day, CommonSpirit released a similarly brief statement apologizing for the inconvenience. Neither statement mentioned the type of breach, the data exposed, or the impact. Subsidiaries who reported issues include:

  • Nebraska- and Tennessee-based CHI Health facilities
  • Seattle-based Virginia Mason Franciscan Health providers
  • MercyOne Des Moines Medical Center
  • Houston-based St. Luke’s Health
  • Michigan-based Trinity Health System


CommonSpirit operates 700 care sites and 142 hospitals in 21 states.


CommonSpirit Health’s October/November update


Later in October, CommonSpirit released a new statement characterizing the IT incident as a ransomware attack. Since this discovery, the health system has notified law enforcement and a forensics investigative team. CommonSpirit now states that it experienced system interruptions across several states including Nebraska, Tennessee, Texas, Washington, and Iowa.

Those IT systems originally taken offline remained shut down. But by November, CommonSpirit announced that some patients could use its EHR systems. At the same time, they couldn’t schedule appointments through the portal.

The health system does not detail the type of PHI exposed or the number of affected individuals.


CommonSpirit’s latest breach update


The latest update states that “an unauthorized third party gained access to certain files, including files that contained [PHI].” It specifically mentions data from Franciscan Medical Group and/or Franciscan Health in Washington state. The files contain personal information for individuals who received services in the past as well as their affiliates.

CommonSpirit adds that there is “no evidence that any [PHI] has been misused as a result of the incident.” Under the HIPAA Act, it sent breach notification letters to those affected on December 1.

KNOW MORE: What is the HIPAA Breach Notification Rule?

The U.S. Department of Health Office for Civil Rights’ (OCR) Breach Portal lists the breach as a hacking/IT incident affecting 623,774 patients. On December 9, 2022, CommonSpirit released its official breach notice. Within the notice, the health system states that the hacker breached the systems between September 16 and October 3. Files accessed included the following information about patients, family members, and caregivers:

  • Name
  • Address
  • Phone number
  • Date of birth
  • Internal unique ID (not medical record or insurance number)


There is no confirmation on which group is responsible. At this time, no PHI was found on the dark web.


The true costs of a ransomware attack


Healthcare organizations are particularly vulnerable to ransomware attacks, even more so than other industries. In 2021, cyber incidents impacted more than 50.4 million medical records, and it looks like 2022 (and 2023) will exceed this number.

PHI is worth much to cybercriminals, and ransomware is an easy method to access that information. After stealing and/or encrypting data, threat actors can demand a ransom payment or sell the information on the black market. They may even do both. On top of this, are the costs associated with downtime or lawsuits.

READ MORE: Ransomware attack may have led to infant’s death

As of the end of December 2022, CommonSpirit was hit with a class-action lawsuit alleging negligence caused the ransomware attack. And of course, the possibility of a HIPAA violation, fine, and corrective action plan. OCR is currently investigating the incident.

This and every breach demonstrate that healthcare providers must invest in solid cybersecurity to protect themselves and their patients. Becoming a victim of ransomware is far more costly compared to implementing data security protocols.


Avoid ransomware headaches with Paubox


Every healthcare organization must use strong protections to block ransomware attacks.

READ ABOUT: Ransomware attacks on healthcare increase in 2022

There are many methods to keep data secure. Some of these options include employee training and strong storage and access policies. But given that one of the most common entry points is through phishing emails, strong email security is vital. Aspects of email security include:

  • A robust password policy
  • Multi-factor authentication
  • Regularly monitored networks
  • Filters and antivirus software
  • Encryption


Finally, good email security starts and stops with a HIPAA compliant email provider such as Paubox Email Suite. Paubox technology is HITRUST CSF certified and provides an advanced HIPAA compliant email solution. Our Plus and Premium solutions include robust inbound security tools to help block cyberattacks harming the healthcare industry. These features block threats like phishing emails and ransomware and send them to quarantine.

Whether part of a large hospital system like CommonSpirit or a standalone clinic, Paubox provides the right email protection to keep data and organizations HIPAA compliant and secure.


Start a 14-day free trial of Paubox Email Suite today