Personal data leaked in St. Michael ransomware attack

CommonSpirit Health has confirmed that personal data of patients at St. Michael Medical Center in Silverdale may have been accessed in an extensive ransomware attack this fall.

The Catholic healthcare giant, which has over 1,000 care sites and hospitals in 21 states, was struck down for weeks after an “IT-related security issue” forced the shutdown of a number of online systems in October and early November. Doctors and patients at St. Michael were unable to obtain online medical records and charting systems, which forced the cancellation of appointments ranging from doctor’s visits to major medical procedures.

In a Dec. 1 update on its website, CommonSpirit says patient data at the Virginia Mason Franciscan Health provider may have been at risk just over two weeks before the attack was acknowledged.

“The investigation determined that an unauthorized third party gained access to certain portions of CommonSpirit’s network between September 16, 2022 and October 3, 2022,” the statement says. “During that time, the unauthorized third party may have gained access to certain files, including files that contained personal information.”

The review of the files is still being conducted, but some data has already been identified, including the personal information of patients who have received services in the past along with family members and caregivers of those patients. Such data could include names, addresses, phone numbers, birth dates and unique IDs only used by the hospital.

“Though CommonSpirit has no evidence that any personal information has been misused as a result of the incident,” the statement says, “it is always prudent for patients to review health care statements for accuracy and report any services or charges that were not incurred to the provider or insurance carrier.”

Despite the frustrations expressed by workers and patients, CommonSpirit stood by its response to the attack, saying “Upon discovering the ransomware attack, CommonSpirit quickly mobilized to protect its systems, contain the incident, begin an investigation, and maintain continuity of care. In addition, CommonSpirit notified law enforcement and is supporting their ongoing investigation. Once secured, systems were returned to the network with additional security and monitoring tools.”

Affected individuals should expect to receive a letter from CommonSpirit informing them of the incident. The provider said it will use information from the files to determine which individuals’ information was put at risk and send out letters.

CommonSpirit has also set up a call center to help answer questions about the incident at 855-504-2738 from 7 a.m. to 4:30 p.m. weekdays.