CommonSpirit US nonprofit health system discloses security incident

CommonSpirit Health, one of the largest nonprofit health systems in the United States, says it took down some of its IT systems because of a security incident that has impacted multiple facilities.

The US health system operates 140 hospitals and more than 1,000 care sites in 21 states, and its team of roughly 150,000 employees and 20,000 physicians provides health services to more than 21 million patients.

CommonSpirit said in a statement published Tuesday that it's "managing an IT security issue that is impacting some of our facilities."

"As a precautionary step, we have taken certain IT systems offline, which may include electronic health record (EHR) and other systems," it added.

CommonSpirit also revealed that the incident forced its IT team to follow outage procedures and minimize disruption.

"Our facilities are following existing protocols for system outages and taking steps to minimize the disruption," it said, confirming ongoing system outages.

"We take our responsibility to ensure the security of our IT systems very seriously."

While the nature of the incident is yet to be disclosed, there are hints that link it to a possible ransomware attack that would explain its broad impact.

That one is ransomware for sure, seen the IR chatter. https://t.co/cs4I3MjVKE

— Kevin Beaumont (@GossiTheDog) October 5, 2022

Due to this "IT security issue," CommonSpirit also had to reschedule some patient appointments and said affected patients would be notified by the care facility or their provider.

Health facilities and hospitals impacted by this security incident, including Bergan Mercy Hospital, MercyOne Des Moines Medical Center, and multiple Virginia Mason Franciscan Health providers, have reported not being able to access CommonSpirit Health's electronic health records systems.

Doctors told patients who called in to make appointments at CommonSpirit locations that they couldn't schedule any new ones because their computers were down.  

A CommonSpirit spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today.