The second largest non profit hospital chain in the U.S. was the victim of a ransomware attack that lasted for months in October 2022. This article describes the CommonSpirit Health Ransomware Attack as one of the biggest cybercrime incidents in 2022. Jump in to learn exactly how the attack unfolded and see what CommonSpirit Health could have done better before and during the incident.
Learn about the different examples of ransomware and see what strategies criminals use to encrypt files and pressure victims into paying for the decryption key.
What Happened During the CommonSpirit Health Ransomware Attack?
On October 2, 2022, CommonSpirit’s security team detected strange activity on several networks. The organization’s summary of events states that the team took immediate action to:
Malicious activities and precautionary system shut downs disrupted access to electronic medical records (EHRs), forcing multiple facilities to delay patient care. Hospitals and care sites in several states reported interruptions, including:
- Nebraska.
- Tennessee.
- Texas.
- Washington.
- Iowa.
CommonSpirit acknowledged the attack publicly three days later, on October 5. The organization refused to comment on the nature and scope of the breach. They described the issue as “IT security” rather than ransomware. CommonSpirit did not reveal whether the intruders had accessed any patient information or health data at that time. Between September 16 and 3, threat actors infiltrated parts of the network. As of March 2023 the healthcare provider had not yet assigned the attack to any specific ransomware group. The identity of the threat agent is also unknown, as no criminal organization has claimed responsibility.
While CommonSpirit refuses to admit how malicious software got into its network, experts believe criminals compromised an account of a higher-level administrator through phishing.
The database record admin.
Speculative “post-mortems” suggest the two most likely targets are:The hospital domain admin.
Once The Office for Civil Rights must be notified of a ransomware attack encrypting PHI. However, if a breach risk assessment proves a low probability of compromise, the OCR will not rule the incident a HIPAA violation.
- Who Was Affected by the CommonSpirit Health Data Breach?
- CommonSpirit revealed that threat actors reached the personal data of individuals who received care at the seven Franciscan Health hospitals in Washington state (plus several associated physician clinics). Here’s a list of the affected facilities:
- St. Anne Hospital, previously Highline Hospital in Burien.
- St. Michael Medical Center, formerly Harrison Hospital (Bremerton & Silverdale).
- St. Joseph Hospital (Tacoma)
- St. Francis Hospital (Federal Way)
- St. Anthony Hospital (Gig Harbor)
- St. Elizabeth Hospital (Enumclaw).
- St. Clare Hospital (Lakewood).
Intruders accessed the personal data of 623,774 patients during the CommonSpirit Health ransomware attack. Hackers gained access to the personal data of family members and caregivers. The incident also had indirect effects on other hospitals. The following facilities reported issues:
- Seattle-based Virginia Mason Franciscan Health providers.
- MercyOne Des Moines Medical Center.
- CHI Health facilities in Nebraska and Tennessee.
- Houston-based St. Luke’s Health.
- Michigan -based Trinity Health System.
Restoring systems to a pre-incident state was slow and challenging. Most hospitals recovered within two to three weeks, but a few still did not have all EHR systems back online on November 9 (more than a month after the attack).
CommonSpirit also suffered staggering financial losses at this time. The organization refused to say whether they paid the ransom. However, the provider suffered estimated losses of $150 million. This figure includes:
The cost of restoring IT systems to pre-incident state.
Lost revenue from the business interruption.
CommonSpirit is also facing a class-action suit alleging negligence played a role in the ransomware attack. A Washington state patient filed the lawsuit on December 29, 2022, blaming the provider for failing to “exercise reasonable care” and placing patients at an increased risk of identity theft.
What Data Was Compromised?
The CommonSpirit Health ransomware attack enabled hackers to access the sensitive data of over 620,000 patients, as well as their family members and caregivers. Criminals managed to reach:Names.Addresses.
- Phone numbers.
- Dates of birth.
Unique IDs used internally by the organization (not the Medical Record Number or insurance ID).
While CommonSpirit continues to claim that there’s no evidence hackers “misused” any personal info, this data is a gold mine for identity theft. In most cases, criminals sell that type of data to the highest bidder or simply post it on the dark web.
If hackers managed to exfiltrate data before encryption, chances are we’ll be seeing the effects of this attack for years to come.
- Stealing sensitive data is a common goal of hackers, but not the only one. Learn about the different types of cyberattacks and see what each of them aims to accomplish.
- How Could the CommonSpirit Health Ransomware Attack Be Prevented?
- CommonSpirit Health operates 142 hospitals and over 2,200 care sites within 21 states. This immense attack surface is challenging to protect, but the organization should have invested more time and effort into ransomware prevention.
- Here’s what the provider could have done better before and during the CommonSpirit Health ransomware attack:
- Lackluster network security:
Since hackers spent 18 days moving between systems, chances are the provider did not invest in network segmentation, strict access controls, intrusion detection systems (IDSes), or zero-trust security measures.
Inefficient response:
The lack of an effective incident response and disaster recovery plan prevented the organization from quickly restoring operations. According to reports, it took the provider more than two full weeks after the initial attack for limited EHR functionality to be restored. Poor phishing defenses :
Since criminals created an entry point to the network using phishing, it is likely that the provider didn’t invest heavily in employee security awareness or email security. Email filtering is a relatively simple way to stop phishing attempts. Staff can also be taught to identify signs of suspicious emails (unusual greetings, grammar mistakes, non-matching domain names and addresses, and unusual requests). If the provider had used encryption to protect the stored data, attackers could not steal PHI after the data was exfiltrated. Chances are the organization also lacked up-to-date data backups judging by how long the provider took to restart operations.
No third-party expert support:
According to reports, CommonSpirit Health reached out to security experts only after they identified suspicious network activity. If your in-house team lacks the necessary know-how to prevent ransomware, hiring third-party specialists is a no-brainer investment (and a significantly smaller one than what criminals ask for decryption keys).
Concerned about ransomware attacks?
You’re not paranoid ransomware accounted for over 20% of all cybercrime in 2022 . Protect yourself from this cyber threat with Puyka’s ransomware protection and our unique mix of immutable data backups and cloud-based disaster recovery.
Ransomware Attacks in Healthcare
Healthcare providers are no strangers to ransomware attacks. Despite some security improvements in recent years, hospitals remain one of the most common targets for this type of cybercrime.Here are a few stats that demonstrate the danger ransomware attacks pose to the healthcare industry:
Around 66% of all hospitals in the US were the target of a ransomware attack at some point in 2022.Two in three healthcare IT professionals report a “significant cybersecurity incident” in the past 12 months.
The average recovery time for a healthcare provider following a ransomware attack is one week. In 2021, this number was lower (around 6.2).The cost to restore services and systems back to their pre-ransomware states was an average of $1.85m in 2022.
In the year 2022, 61% of all ransomware incidents were paid by healthcare providers. No other industry had a higher rate.Healthcare providers paid an average ransom of around $197,000 in 2022, the lowest of any sector. However, the average ransom demand in healthcare was “only” $16,000 in 2020.The average healthcare data breach now costs $10.1 million, the highest of any industry.
Hospital security teams take an average of 232 days to detect a breach and an additional 85 days to contain the threat.
There were 24 successful ransomware attacks on US-based healthcare providers in 2022 (incidents affected a total of 289 hospitals). Criminals stole files and threatened to cause a data leakage in 17 out of 24 confirmed attacks.
Almost 22% of healthcare organizations believe that ransomware had a direct impact on patient mortality rates in 2022.
Three in four ransomware attacks on hospitals lead to operational disruptions, such as canceled surgeries and extended hospital stays.
Experts predict the global cost of ransomware attacks on the healthcare industry willexceed $25 billion by 2025.
Learn from the CommonSpirit Health Ransomware Attack
While we still do not have all the details surrounding the incident (and we likely never will), it’s clear the recent attack was devastating to CommonSpirit Health. The hospital chain is under pressure from reports of large losses, lawsuits, and reputational damage. Avoid a similar situation by preparing for ransomware.
About The Author
