Updated Oct. 13 at 10:00 a.m.
CommonSpirit Health is now characterizing the interruption of IT services across several of its hospitals as a ransomware attack.
In the week since it disclosed an "IT security incident" that forced EHR shutdowns and appointment cancelations, the Catholic health giant said Wednesday that it has notified law enforced and tapped "leading cybersecurity specialists" to support its a forensics investigation.
"Upon discovering the ransomware attack, CommonSpirit took immediate steps to protect our systems, contain the incident, begin an investigation and ensure continuity of care," the system said in an emailed statement. "Patients continue to receive the highest quality of care, and we are providing relevant updates on the ongoing situation to our patients, employees and caregivers. Patient care remains our utmost priority and we apologize for any inconvenience this matter has created."
CommonSpirit said its facilities are following pre-established system outage protocols that include taking certain systems, such as its EHRs, offline.
The Chicago-based system operates 142 hospitals and over 2,200 sites of care within 21 states. It has seen system interruptions across several states including Nebraska, Tennessee, Texas, Washington and Iowa as a result of the attack.
Updated Oct. 7 at 1:12 p.m.
Following the confirmation from CommonSpirit Health that a cybersecurity incident has disrupted medical systems in numerous but unidentified locations, reports from patients and health providers has revealed the ongoing effect of the attack that reportedly began Monday.
CommonSpirit confirmed in a statement to Fierce Healthcare that IT outages are taking place as a precautionary measure and that some patient’s may be notified regarding changes to appointments.
Subsidiaries of CommonSpirit have reported being affected by the attack including CHI Health facilities in Nebraska and Tennessee, Seattle-based Virginia Mason Franciscan Health providers, MercyOne Des Moines Medical Center, Houston-based St. Luke's Health and Mich.-based Trinity Health System.
The first reports of outages came on Tuesday from CHI Health and Virginia Mason Franciscan Health. CHI health reportedly later delayed surgeries.
"We drive to Bergan Mercy, go in the procedure center, walk up to the front counter, and I'm like 'I'm here to check-in,' and there was some stammering and stuttering and they're like, 'Well all the procedures have been canceled today,'" a CHI Health patient who reported that upon arriving at a CHI facility on Oct. 3 learned that their colonoscopy was canceled told NBC.
Seattle-based Virginia Mason Franciscan Health providers St. Michael Medical Center and St. Anthony Hospital also reported being affected.
A caregiver reported to the KitSap Sun that staff at St. Anthony Hospital were unaware of her sister’s appointment and could not “put anything in the computer.” She reported observing staff using a makeshift paper system of record keeping and phones to communicate with providers and payers.
MercyOne Des Moines Medical Center also had to shut down its EHR system and other IT systems. Ambulances were reportedly rerouted to other medical facilities for a brief time on Oct. 3.
A nurse at the Houston-based St. Luke's Health told a local news outlet that some facilities are fully paper charting, with some patients' lab work not being processed, and appointments being canceled.
Livonia, Mich.-based Trinity Health System has also taken IT systems offline, including its EHR system. A spokesperson from Trinity told NBC.
CommonSpirit Health is managing an IT security incident affecting some of its facilities in multiple regions, the company said in a statement to Fierce Healthcare.
The number of facilities affected is still undisclosed as is the security of patient data following the incident which reportedly began Monday.
“As a result of this incident, we have rescheduled some patient appointments in some of our communities,” CommonSpirit’s statement said. “Patients will be contacted directly by their provider and/or care facility if their appointment is impacted.”
The Chicago-based health system is one of the largest in the country, operating 142 hospitals and over 2,200 sites of care within 21 states.
“As a precautionary step we have taken certain IT systems offline, which in some of our divisions includes electronic health record systems and other systems,” the statement said. “Our facilities are following existing protocols for system outages and taking steps to minimize the disruption.”
CommonSpirit’s Nebraska-based subsidiary CHI Health has reported outages in all of its Omaha hospitals—Lakeside Hospital, Creighton University Medical Center, Bergan Mercy and Immanuel Medical Center.
Two CHI Health hospitals in Chattanooga, Tennessee, moved some systems offline including electronic health records, according to a statement from CHI Memorial.
The Seattle-based Virginia Mason Franciscan Health has also reported being impacted by the outage. VMFH operates hospitals and clinics in the Puget Sound region, including St. Joseph Medical Center in Tacoma. Patients were reportedly unable to access the online patient portal, MyChart.
“We take our responsibility to ensure the privacy of our patients and IT security very seriously,” the statement said.
CommonSpirit is one of many notable nonprofit health systems reporting significant losses for the most recent fiscal year. The health system, which was formed in a 2019 merger of Catholic Health Initiatives and Dignity Health, reported $1.85 billion in losses in 2022.
The Catholic organization recently appointed Wright Lassiter, formerly of Henry Ford Health, as its new CEO and successor to Lloyd Dean.