CommonSpirit Health Issues Update Confirming 164 Facilities Affected by Ransomware Attack
CommonSpirit Health has issued an update about its October 2022 ransomware attack and has confirmed that patients from 164 facilities were affected by the attack and had their sensitive data exposed or stolen. CommonSpirit Health detected the ransomware attack on October 2, 2022, and the forensic investigation revealed unauthorized individuals had access to its systems between September 16, 2022, and October 3, 2022.
In December 2022, CommonSpirit Health confirmed that the threat actor responsible for the attack had stolen patient data prior to encrypting files, and said patients of Franciscan Medical Group/Franciscan Health and Virginia Mason Franciscan Health facilities had been affected. Those individuals were notified about the data breach in December. In February 2023, CommonSpirit Health issued a further update confirming the attackers also obtained the data of patients of St. Luke’s Diagnostic Cath Lab, Diagnostic Heart Center in Houston, TX, and sent notifications to those individuals in February.
The latest update on the ransomware attack was issued on April 6, 2023, and confirmed that the breach affected patients who had received care at certain facilities operated by Catholic Health Initiatives, Dignity Health, Centura Health, and MercyOne and shared a list of 164 hospitals and care sites that are known to have been affected. The investigation confirmed that the attackers had access to two file servers that contained files that included patient data such as names, addresses, birth dates, phone numbers, email addresses, dates of service, medical record numbers, healthcare provider names, diagnosis/treatment information, medical billing/claims information, patient facility associated account/encounter numbers, and health insurance information and, for a small number of individuals, Social Security numbers.
CommonSpirit Health said the delay in issuing the latest notifications was due to the incredibly time-consuming review of all files stored on those file servers to determine if they contained patient data, and which patients had been affected. The initial phase of that process was completed on February 21, 2023, and then accurate address information needed to be found to allow notifications to be sent.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
CommonSpirit Health reported the data breach to the HHS’ Office for Civil Rights on December 1, 2022, as affecting 623,774 individuals. That total has not been updated since, and CommonSpirit Health has not publicly confirmed at this stage exactly how many individuals have been affected. Given the number of hospitals now known to have been affected, that total is likely to increase by a substantial amount.
The full list of affected facilities detailed in the April 6 update is:
| Hospital/Care Site | State |
| St. Vincent Infirmary Little Rock | Arkansas |
| St. Vincent North Sherwood | Arkansas |
| St, Vincent Hot Springs Hot Springs | Arkansas |
| St. Vincent Morrilton Morrilton | Arkansas |
| CHI St. Vincent Medical Group Little Rock | Arkansas |
| CHI St. Vincent Medical Group Hot Springs | Arkansas |
| CHI Memorial Georgia Hospital Fort Oglethorpe | Georgia |
| CHI Memorial – Parkway Ringgold | Georgia |
| CHI Memorial Medical Group All Locations | Georgia |
| CHI Health Mercy Council Bluffs Council Bluffs | Iowa |
| CHI Health Missouri Valley Missouri Valley | Iowa |
| CHI Health Mercy Corning Corning | Iowa |
| Flaget Memorial Hospital Bardstown | Kentucky |
| Saint Joseph Hospital Lexington, Nicholasville | Kentucky |
| Saint Joseph Health Community Pharmacy Lexington | Kentucky |
| Saint Joseph – Berea Berea | Kentucky |
| Saint Joseph East Lexington | Kentucky |
| Saint Joseph London London | Kentucky |
| Saint Joseph Martin Martin (sold) | Kentucky |
| Saint Joseph Mount Sterling Mount Sterling | Kentucky |
| Saint Joseph Mount Sterling Outpatient Rehab Mount Sterling | Kentucky |
| Saint Joseph Mount Sterling Outpatient Rehab Flemingsburg | Kentucky |
| Continuing Care Hospital Lexington | Kentucky |
| CHI Saint Joseph Medical Groups Central & Eastern Kentucky | Kentucky |
| Jewish Hospital – Louisville (Sold), formerly part of CHI | Kentucky |
| CHI LakeWood Health Baudette | Minnesota |
| CHI St. Francis Health Breckenridge | Minnesota |
| CHI St. Joseph’s Health Park Rapids | Minnesota |
| CHI St.Gabriel’s Health Little Falls | Minnesota |
| CHI St. Francis Home Breckenridge | Minnesota |
| CHI Health at Home All locations | Minnesota |
| CHI Health Lakeside Omaha | Nebraska |
| CHI Health Midlands Papillion | Nebraska |
| CHI Health Plainview Plainview | Nebraska |
| CHI Health Creighton University Medical Center – Bergan Mercy Omaha | Nebraska |
| Lasting Hope Recovery Center Omaha | Nebraska |
| CHI Health Immanuel Omaha | Nebraska |
| CHI Health Schuyler Schuyler | Nebraska |
| CHI Health Good Samaritan Kearney | Nebraska |
| CHI Health Richard Young Behavioral Health Kearney | Nebraska |
| CHI Health Nebraska Heart Lincoln | Nebraska |
| CHI Health St. Elizabeth Lincoln | Nebraska |
| CHI Health St. Francis Grand Island | Nebraska |
| CHI Health St. Mary’s Nebraska City | Nebraska |
| The Physician Network ( including Nebraska Specialty Network, and | Nebraska |
| Lincoln Physician Network) All locations | Nebraska |
| CHI St. Alexius Medical Center Bismarck | North Dakota |
| CHI St. Alexius Health Carrington & Clinics (includes Foster County | North Dakota |
| Medical Center) Carrington | North Dakota |
| CHI St. Alexius Carrington Urgent Care Carrington | North Dakota |
| CHI Lisbon Health Lisbon | North Dakota |
| CHI St. Alexius Health Devils Lake & Clinics Devils Lake | North Dakota |
| CHI Mercy Health Valley City Valley City | North Dakota |
| CHI St. Alexius Health Williston Williston | North Dakota |
| CHI Oakes Hospital & Clinics Oakes | North Dakota |
| CHI St. Alexius Health Turtle Lake Turtle Lake | North Dakota |
| CHI St. Alexius Health Garrison & Clinics Garrison | North Dakota |
| CHI St. Alexius Health Dickenson & Clinics Dickenson | North Dakota |
| CHI Health at Home Fargo | North Dakota |
| CHI Friendship Fargo | North Dakota |
| CHI St. Alexius Physician Clinics All Locations | North Dakota |
| Trinity Medical Center East and West Steubenville | Ohio |
| Trinity Hospital Twin City Dennison | Ohio |
| Ross Park Pharmacy Steubenville | Ohio |
| Trinity Professional Group All locations | Ohio |
| Trinity Home Health All locations | Ohio |
| CHI Mercy Health Medical Center Roseburg | Oregon |
| CHI St. Anthony Medical Center Pendleton | Oregon |
| Oregon Surgery Center Roseburg | Oregon |
| Centennial Medical Group Roseburg | Oregon |
| CHI St. Joseph Children’s Health Lancaster | Pennsylvania |
| CHI Memorial Hospital Chattanooga Chattanooga | Tennessee |
| CHI Memorial Hospital Chattanooga Outpatient Pharmacy Chattanooga | Tennessee |
| CHI Memorial Hospital Hixson Hixson | Tennessee |
| Chattanooga Heart Institute Chattanooga | Tennessee |
| CHI Memorial Medical Group All Locations | Tennessee |
| CHI Baylor St. Luke’s Medical Center Houston | Texas |
| CHI St. Luke’s Health Hospital at The Vintage Houston | Texas |
| CHI St. Luke’s Health Brazosport Hospital Lake Jackson | Texas |
| CHI St. Luke’s Health Lakeside Hospital The Woodlands | Texas |
| CHI St. Luke’s Health Patients Medical Center Pasadena | Texas |
| CHI St. Luke’s Health Springwoods Village Spring | Texas |
| CHI St. Luke’s Health Sugar Land Hospital Sugar Land | Texas |
| CHI St. Luke’s Health The Woodlands The Woodlands | Texas |
| CHI St. Joseph Regional Medical Center Bryan | Texas |
| CHI St. Joseph Health Burleson Hospital Burleson | Texas |
| CHI St. Joseph Health Grimes Hospital Navasota | Texas |
| CHI St. Joseph Health Madison Hospital Madisonville | Texas |
| CHI St. Joseph Health College Station Hospital College Station | Texas |
| St. Joseph Encompass Health Rehab Bryan | Texas |
| St. Joseph Skilled Nuring and Rehab Bryan and Caldwell | Texas |
| CHI St Luke’s Health Memorial Lufkin Lufkin | Texas |
| CHI St Luke’s Health Memorial Livingston Livingston | Texas |
| CHI St Luke’s Health Memorial St. Augustine St. Augustine | Texas |
| CHI St. Luke’s Medical Group All locations | Texas |
| CHI St. Joseph Health Medical Group All locations | Texas |
| CHI St. Luke’s Health Memorial Clinics All locations | Texas |
| St. Michael Medical Center (formerly Harrison Hospital) Bremerton & Silverdale | Washington |
| St. Anne Hospital (Formerly Highline Hospital) Burien | Washington |
| St. Anthony Hospital Gig Harbor | Washington |
| St. Clare Hospital Lakewood | Washington |
| St. Elizabeth Hospital Enumclaw | Washington |
| St. Francis Hospital Federal Way | Washington |
| St. Joseph Hospital Tacoma | Washington |
| The former CHI Franciscan Health System Tacoma | Washington |
| Franciscan Health Medical Group All locations | Washington |
| Franciscan Hospice and Palliative Care Tacoma | Washington |
The breach also affected patients who received care through CHI Health at Home at the following facilities:
| Hospital/Care Site |
| Albany Area Home Health and Hospice North Dakota – closed |
| American Nursing Care Columbus IN |
| American Nursing Care Dayton, OH |
| American Nursing Care Marion, OH |
| American Nursing Care Zanesville, OH |
| American-Mercy Home Care Cincinnati, OH |
| Amerimed Home Infusion Indianapolis, IN |
| Amerimed Home Infusion Lexington & Louisville, KY |
| Amerimed Home Infusion West Chester, OH |
| CHI Franciscan Health at Home University Place, WA |
| CHI Franciscan Hospice and Palliative Care Tacoma, WA |
| CHI Health at Home Breckenridge & Little Falls, MN |
| CHI Health at Home |
| Bismark, Dickinson, Valley City, & |
| Williston, ND |
| CHI Health at Home Plainview, NE |
| CHI Health at Home Milford Cincinnati, OH |
| CHI Health at Home Hospice Lincoln & Omaha, NE |
| CHI Health at Home Infusion Omaha, NE |
| CHI Health at Home, Home Care Grand Island, Lincoln, Omaha, NE |
| CHI Health Pharmacy Omaha, NE |
| CHI Memorial Health at Home Chattanooga, TN |
| CHI St. Joseph’s Hospice Park Rapids, MN |
| CHI St. Vincent Health at Home Hot Springs, Little Rock & Morrilton, ARK |
| Community Health at Home Indianapolis, IN |
| Community Mercy Home Care Springfield, OH |
| Community Mercy Home Care Pharmacy West Chester, OH |
| Cornerstone Medical Services (closed) Cincinnati, Columbus, & Akron OH |
| Deaconess Home Health Evansville, IN |
| Good Samaritan Home Care Vincennes, IN |
| Good Samaritan Home Care Lawrenceville, IL |
| Great Plains Rehabilitation Services Bismarck, Dickinson, ND |
| Hospice House University Place Tacoma, WA |
| Josie Harper Hospice House Omaha, NE |
| MedQuest Home Medical Equipment Williston, ND |
| Mercy Home Health Roseburg, OR |
| Reid Home Health Care Eaton, OH |
| Reid Home Health Care Richmond, IN |
| Southeastern Home Care Barnesville & Cambridge, OH |
| St. Elizabeth Home Care Florence, KY |
| St. Elizabeth Home Care Lawrenceburg, IN |
| St. Elizabeth Home Medical Equipment Lincoln NE |
| St. Vincent Heatlh at Home Arkansas |
| Virginia Mason Franciscan Pharmacy & Home Care Tacoma, WA |
| VNA Health at Home Clarksville, IN |
| VNA Health at Home Bardstown, Campbellsville, Elizabethtown, |
| Lexington, London, & Louisville, KY |
| VNA Health at Home Hospice Bardstown & London, KY |
| Associated and Former CommonSpirit/CHI Facilities |
| Centura Health System Colorado and Kansas |
| Jewish Hospital Louisville, KY |
| Mercy Medical Center Des Moines and Affiliates Des Moines, Iowa |
| Mercy Home Health Services – Iowa Iowa |
| Mercy Hospice Johnston-Iowa Iowa |
| St. Clare’s Hospital Denville, NJ |
| St. Joseph Medical Center, Reading Reading, PA |
| University of Louisville Medical Center Louisville, KY |
