CommonSpirit Hospital Chain Grappling With Ransomware Attack

The intrusion has had minimal impact on Dignity Health, part of CommonSpirit in California, and Virginia Mason Medical Center, a CommonSpirit hospital in Seattle, the parent organization said.

“For the other parts of our health system that have seen impacts on operations, we are working diligently every day to bring systems online and restore full functionality as quickly and safely as possible,” CommonSpirit said in a statement.

Virginia Mason Franciscan Health, a CommonSpirit division that runs 300 care sites in the Pacific Northwest, said it has canceled or rescheduled patient appointments and suspended access to its patient portal. Hospitals such as MercyOne Des Moines Medical Center are unable to offer online appointment scheduling owing to the attack.

People claiming on social media to be employees and patients of CommonSpirit hospitals described staff resorting to paper-based record-keeping, and long waits for laboratory results.

In an interview, Debbie Logan, a patient at St. Clare Hospital in Lakewood, Wash., that is operated by Virginia Mason Franciscan Health, said she is still waiting for results from a magnetic resonance imaging scan she took two weeks ago. The hospital hasn’t provided any information, she said. Ms. Logan said she called CommonSpirit multiple times and spoke with the same operator, who directed her to a different helpline.

“You’ve let us sit and wonder for almost two weeks and you have all my personal information,” she said.

Ms. Logan’s husband Steve Curran had an X-ray last week and waited three hours to be seen. He is scheduled for a hip replacement on Monday and said he is concerned about the procedure because of the problems at the hospital.

CommonSpirit didn’t provide any details on how the attack has played out, beyond saying it is working with law enforcement and has engaged incident-response professionals. Representatives didn’t immediately respond to requests for comment.

Hospitals are attractive targets to hackers, owing to the wealth of sensitive patient and employee data and financial information they hold, said Brett Callow, a threat analyst for cybersecurity company Emsisoft. Ransomware attacks began intensifying in 2020, he said, and so far this year, such groups have hit 18 U.S. hospital chains.

“Ransomware gangs are predictable. If they find a strategy works, they will repeat the same tactics over and over again,” Mr. Callow said.

The threat to patient care can make hospitals more willing to pay ransoms to restore essential services, he said.

“We often don’t find out the extent of these incidents,” he said. “No hospital is going to say patients are dying because of a lack of access to electronic records—even if they were solidly able to make that connection.”

During the Covid-19 pandemic, cybercriminals extensively targeted healthcare organizations as they were also battered by financial pressures. In mid-September, the Federal Bureau of Investigation warned companies that it had observed an uptick in cyber vulnerabilities in healthcare settings, particularly related to medical devices running outdated software.

In April, the Department of Health and Human Services warned hospitals to watch for the “exceptionally aggressive” Hive ransomware group, which has been going after healthcare facilities since June 2021.

Last year, a ransomware attack on Ireland’s public healthcare service shut down all its IT systems nationwide, including those of the 54 hospitals it runs directly, other hospitals that use its technology infrastructure and doctors’ offices.

—Kim S. Nash contributed to this article.

Write to James Rundle at [email protected] and Catherine Stupp at [email protected]