CommonSpirit confirms ransomware attack as U.S. hospitals deal with fallout

CommonSpirit Health — one of the largest nonprofit health care systems in the U.S. — confirmed on Wednesday evening that it was hit with a ransomware attack that caused widespread IT outages at hospitals across the country over the last week.

A spokesperson for the organization told The Record that after the ransomware attack was discovered, CommonSpirit staffers contacted law enforcement and hired cybersecurity specialists to deal with the response and contain the incident. 

Last week, CommonSpirit Health announced that it was “managing an IT security issue” impacting several electronic health record systems across the country. Several facilities among the organization's more than 1,000 care sites and 140 hospitals in 21 states reported widespread outages and issues with computer systems. 

Employees at hospitals have turned to social media and news outlets as the problems cascaded over the last week. 

One anonymous nurse took to Reddit to harshly criticize the organization for its response to the crisis, calling it a “nightmare” and corroborating other reports that dozens of hospitals now have to use paper charts that were not standardized. 

Patient history is difficult to access for several facilities and pharmacies are reportedly unable to verify orders or print official labels. Some hospitals now have to use fax machines to share prescriptions. Employees are getting more information about the incident from the media than from CommonSpirit, according to the post.

But on Wednesday, CommonSpirit Health defended its response to the attack, claiming that patients at their hospitals “continue to receive the highest quality of care” and that they have been providing “relevant” updates on the situation to patients, employees and others. 

“Patient care remains our utmost priority and we apologize for any inconvenience this matter has created. Our facilities are following existing protocols for system outages, which includes taking certain systems offline, such as electronic health records,” the organization said. 

“In addition, we are taking steps to mitigate the disruption and maintain continuity of care. To further assist and support our team in the investigation and response process, we engaged leading cybersecurity specialists and notified law enforcement. We are conducting a thorough forensics investigation as we restore full functionality and reconnect our systems. Central to our decision-making has been and will continue to be our ability to carry out our mission in a manner that is safe and effective to those we serve.”

The Chicago-based organization did not respond to several questions about the number of facilities affected, a timeline for recovery and whether a ransom has been demanded or paid. 

In a similar statement published on their website, the organization touted the fact that two hospital systems in the organization's network “have had minimal impacts on operations by this incident.” 

Over the course of this past week, we have been managing a response to a cyberattack that has impacted some of our facilities. Patient care remains our utmost priority and we apologize for any inconvenience this matter has created. For more info. visit https://t.co/q5DnaQI81S

— CommonSpirit Health (@commonspirit) October 12, 2022

“For the other parts of our health system that have seen impacts on operations, we are working diligently every day to bring systems online and restore full functionality as quickly and safely as possible,” the statement said. 

Several local news outlets across the U.S. reported on hospitals in their area facing issues due to the outage. 

The 911 system of an Omaha, Nebraska county was crippled by the attack, forcing responders to use handwritten notes.

MercyOne Des Moines Medical Center had to divert ambulances due to the outage, and other issues were reported at CommonSpirit’s facilities in Chattanooga, Tennessee.

The Omaha World-Herald reported that all CommonSpirit facilities in Omaha were impacted, including Lakeside Hospital, Creighton University Medical Center-Bergan Mercy and Immanuel Medical Center.

A Washington state news outlet said St. Michael Medical Center in Silverdale, Kitsap County’s main hospital and St. Anthony Hospital in Gig Harbor have all been affected by the incident as well. 

On Wednesday, a nurse at St. Michael Medical Center reportedly called 911 and asked for the fire department to come help the hospital manage an influx of patients due in part to the lack of an IT system. 

“The charge nurse expressed two times that they feel like they’re drowning because they had over 45 patients in the waiting room and only five nurses," Central Kitsap Fire and Rescue Chief Jay Christian told the Kitsap Sun.

"She said, ‘We’re in dire straits, we need the fire department help, can somebody come up here and help us?’”