Ransomware Attack Costs CommonSpirit Health Over $150 Million

CommonSpirit Health, one of the largest health systems in the United States, has revealed that the ransomware attack it experienced in October 2022 has resulted in significant costs to date. The health system has reported costs of over $150 million, and these costs are expected to continue to rise as the investigation into the attack and data breach continues. As a result of the attack, CommonSpirit Health has faced additional legal troubles and is now facing multiple class action lawsuits. These lawsuits have been filed by individuals whose protected health information was exposed during the breach, and they are seeking damages. The lawsuits, if successful, could have a significant impact on the financial standing of CommonSpirit Health.

Following the ransomware attack in October 2022, CommonSpirit Health quickly responded by securing its network and bringing in external cybersecurity experts. Upon completing a comprehensive investigation, the health system concluded that between September 16 and October 3, 2022, an unauthorized third party had gained access to specific parts of its network. During this period, the third party may have accessed files containing personal information of patients, family members, or caregivers who had received services from Franciscan Medical Group or Franciscan Health facilities in Washington state, which are now part of Virginia Mason Franciscan Health and are affiliated with CommonSpirit Health. The personal information exposed in the breach included names, addresses, phone numbers, dates of birth, and an internal unique ID.

Although the breach resulted in unauthorized access and potential exposure of personal information, CommonSpirit Health has not found any evidence of personal information being misused in the aftermath of the incident. The health system remains committed to investigating the matter thoroughly and has provided support to those affected. In addition, CommonSpirit Health has enhanced its security measures and invested in additional cybersecurity resources to prevent future incidents. 

Healthcare data breaches are the most expensive to resolve, according to the IBM Security Annual Cost of a Data Breach Report for 2022, with an average cost of $10.1 million per breach. The recent ransomware attack on CommonSpirit Health exposed the personal information of 623,700 individuals, which although a relatively small proportion of the 20 million patients served by the health system, Catholic Health Initiatives, and Dignity Health, caused a month-long outage and significant costs. The financial position of the Catholic health system was severely impacted, resulting in operating losses of $1.3 billion in the fiscal year ending June 30, 2022, and net losses of $1.85 billion. 

CommonSpirit Health is taking several steps to improve its financial sustainability after the losses from the recent ransomware attack and data breach. The healthcare provider aims to create an environment and culture that promotes employee growth and development while redesigning its system, care models, and technologies to align with clinician interests. They’re also building an efficient and unified system to streamline their work. Despite the challenges of the pandemic, labor shortages, and inflation, CommonSpirit Health remains dedicated to delivering high-quality healthcare services, reducing costs and improving patients’ experience.