Skip links

Huge nonprofit hospital network suffers IT meltdown after ‘security incident’

America’s second-largest nonprofit healthcare org is suffering a security “issue” that has diverted ambulances and shut down electronic records systems at hospitals around the country.

CommonSpirit Health, a Chicago-based organization that has more than 1,000 facilities and 140 hospitals across 21 states, this week copped to an “IT security issue” affecting “some” of its locations. The nonprofit, in a very brief notice posted on its website, said it took some systems offline, including “electronic health record (EHR) and other systems.”

“Our facilities are following existing protocols for system outages and taking steps to minimize the disruption,” the statement continued. “We take our responsibility to ensure the security of our IT systems very seriously. As a result of this issue, we have rescheduled some patient appointments.”

Journalists report that the snafu began Monday, shuttering electronic-health record systems, canceling prescription refills, and forcing patients to reschedule procedures at CommonSpirit hospitals and medical facilities in Nebraska, Washington, Illinois and Tennessee. It also forced Des Moines ambulances to reroute, and take patients to other non-affected hospitals and clinics in the Iowa city.

CommonSpirit has yet to provide additional details about the cause of the issue, how many facilities were affected, whether any patient data was stolen in what may have been a cyberattack, and whether or not ransomware was involved, even following our prodding of the org.

Some infosec watchers, however, say it has all the makings of a ransomware attack. Kevin Beaumont, in a tweet that cited “incident response chatter,” said the IT meltdown “is ransomware for sure.”

At least 15 US healthcare systems operating 61 hospitals have been hit by ransomware so far this year, according to Emsisoft analyst Brett Callow. In at least 12 of these infections, miscreants got hold of data including protected health information.

“Statistically speaking, a ransomware attack is the most likely explanation for an incident such as this,” Callow told The Register, when asked about the CommonSpirit drama. 

Callow pointed to a ransomware attack against Scripps last year, which cost more than $100 million to fix. For comparison: Scripps has five hospitals and 19 other facilities compared to CommonSpirit’s empire.

We’re also told that 1,203 American healthcare providers were hit by cybercriminals in 2021.

“Whether attacks are decreasing or increasing has been the subject of some debate,” Callow said. “Either way, with the second largest school district in the US and the second largest nonprofit healthcare system both being hit in recent weeks, it certainly doesn’t feel like we’re winning the battle.” ®