Massive U.S. nonprofit health care system grappling with 'IT security issue'

One of the largest nonprofit health care systems in the U.S. is dealing with a wide-ranging IT security issue forcing it to shut off systems at some facilities. 

CommonSpirit Health – which has more than 1,000 care sites and 140 hospitals in 21 states – said on Monday that it is “managing an IT security issue” impacting several electronic health record systems. 

The Chicago-based ​​company did not respond to requests for comment but said in a statement that it is “following existing protocols for system outages and taking steps to minimize the disruption.”

“As a result of this issue, we have rescheduled some patient appointments. Patients will be contacted directly by their provider and/or care facility if their appointment is impacted,” the company said. 

The statement did little to assuage the anger of customers across the U.S. who reported having issues at their local hospital or with their doctor. Several patients said their doctors were having problems accessing the MyChart tool, which is produced by a company called Epic Systems. 

An Epic Systems spokesperson said the outages were “an isolated incident with one customer: CommonSpirit Health.”

Several local news outlets across the U.S. reported on hospitals in their area facing issues due to the outage. 

MercyOne Des Moines Medical Center had to divert ambulances on Monday due to the outage, and other issues were reported at CommonSpirit's facilities in Chattanooga, Tennessee.

The Omaha World-Herald reported that all CommonSpirit facilities in Omaha were impacted, including Lakeside Hospital, Creighton University Medical Center-Bergan Mercy and Immanuel Medical Center.

A Washington state news outlet said St. Michael Medical Center in Silverdale, Kitsap County's main hospital and St. Anthony Hospital in Gig Harbor have all been affected by the incident as well. 

Although the company did not respond to requests from The Record about the nature of the incident, cybersecurity researchers including Kevin Beaumont suggested ransomware may be involved.

Ransomware attacks on health care organizations have continued throughout 2021 and 2022, including recent attacks on a California nonprofit in March and a major Texas hospital one month ago

In August, the LockBit gang launched a devastating attack on a hospital about an hour south-east of Paris, which disrupted its medical imaging, patient admissions, and other services. 

Ransomware groups and hackers have also made a point of targeting organizations throughout the health care supply chain like CommonSpirit in an effort to cause the maximum amount of damage.  

The United Kingdom’s National Health Service is still struggling to cope with a ransomware attack on an IT provider this summer. The FBI warned two weeks ago that hackers are going after health care payment processors to steal data and money.


An August ransomware attack on printing and mailing services provider OneTouchPoint had several downstream effects on its customers, prompting it to release a data breach notice on behalf of 34 health care organizations. 

In June, the sensitive information of two million people was accessed during a cyberattack on Shields Health Care Group, a Massachusetts-based health care organization that provides services to more than 50 hospitals and clinics across the northeast, including hospitals at higher-education institutions like Emerson College, University of Massachusetts, Tufts University, Wellesley College and more.

A February ransomware attack on medical debt collection firm Professional Finance Company caused a widespread data breach affecting 657 health care organizations.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.