Ransomware, Incident Response, Breach

CommonSpirit cyberattack spurs IT outages at CHI Memorial, hospitals across US

Senators are demanding more transparency from hospital systems and telehealth vendors over their data sharing practices with Meta, building on a number of civil lawsuits from patients and other stakeholders seeking to force hospitals to halt intrusive data collection practices. (Photo Credit: “Emergency room” by KOMUnews is licensed und...
A cyberattack struck one of the largest nonprofit health systems in the U.S., CommonSpirit Health, and is causing IT disruptions at multiple subsidiary hospitals across the U.S. (Photo Credit: "Emergency room" by KOMUnews is licensed under CC BY 2.0.)

A cyberattack deployed against CommonSpirit has led to IT outages at hospitals across the U.S., including multiple CHI Memorial hospitals in Chattanooga, Tennessee. Local media outlets report the incident has also caused disruptions at hospitals run by Virginia Mason Franciscan Health (VMFH) in Seattle.

While some local reports purport the attack struck the electronic health record (EHR) vendor, the cyber incident indeed struck CommonSpirit: the second-largest nonprofit hospital chain in the country. CommonSpirit operates more than 700 care sites and 142 hospitals in 21 states.

The cyberattack was confirmed by a CHI Memorial spokesperson, who confirmed “an IT security issue” at its parent company CommonSpirit Health. CHI Health operates 28 hospitals in the U.S., including Tennessee and Nebraska, where impacts have been confirmed.

Local media shows all CHI facilities in Omaha have been affected, including Lakeside Hospital, Creighton University Medical Center, Bergan Mercy, and Immanuel Medical Center. The incident began as early as Oct. 3, which has impacted a number of care sites tied to CommonSpirit facilities in several regions.

For CHI Memorial, the hospital took certain IT systems offline as “a precautionary step” — including its EHR and other systems. The hospitals are following previously planned protocols used to handle system outages and are “taking steps to minimize the disruption.”

However, as a result of the IT disruptions, CHI Memorial has rescheduled some patient procedures. Patients are being told a provider or care facility leader will contact them if appointments are impacted. The provided statements do not explain whether emergency care diversion is in place.

VMFH is reporting impacts to patients and employees at multiple care sites in Washington, which have also led to some patient appointments being rescheduled and a lack of access to the online patient portal.

MercyOne Des Moines Medical Center has also shut down some of its IT systems and its EHR following the CommonSpirit incident. Some ambulances were also diverted from the hospital on Monday, immediately following the cyberattack and outages. The Des Moines Register reported the Iowa Methodist Medical Center received some of the diverted patients during that time period.

The cyberattack and expansive impact bears hallmark to the 2020 ransomware attack on Universal Health Services, one of the largest U.S. health systems. The three-week-long outage was felt in care sites across the country, however the EHR was not directly impacted by the attack. Overall, the outages cost UHS $67 million in lost revenue and recovery efforts.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.