CommonSpirit operates 140 hospitals and more than 1,000 locations of care across 21 states. Although CommonSpirit is headquartered in Chicago, it does not operate any hospitals in Illinois.
The facilities affected in the cyberattack include facilities in Iowa, Nebraska, Tennessee, and Washington. The lawsuit says there are at least 100 members of the proposed group, though the US Department of Health & Human Services’ Office of Civil Rights reports that more than 623,700 people have been affected. The lawsuit says CommonSpirit serves 20 million patients at its facilities across the country. HHS is currently investigating violations of CommonSpirit.
The lawsuit was filed December 29 in the U.S. District Court for the Northern District of Illinois by Leeroy Perkins, a Washington resident and patient at CommonSpirit’s Virginia Mason Franciscan Health hospital in Seattle. Since the breach, Perkins said he has had to spend valuable time monitoring his various accounts and changing his passwords to protect his information. The lawsuit seeks more than $5 million in damages and temporary relief for Perkins and all others in similar circumstances.
Perkins’ attorney and a representative for CommonSpirit did not immediately respond to a request for comment.
CommonSpirit first reported in early October that it was working on an IT security issue that was disrupting operations at some of its facilities. About a week later, the health system confirmed they were victims of a cyberattack and forced the shutdown of patient portals and some electronic health records.
Electronic health records are vital to modern hospital operations. They allow doctors, nurses, and other caregivers to view patient histories, scans, medications, and other details about a treatment plan.
The cyberattack was not resolved until a month later, when CommonSpirit said it had restored most of the EHRs at its hospitals and care facilities. At the time, CommonSpirit said that upon discovering the ransomware attack, the organization mobilized to protect its systems while continuing to care for patients.
Download Modern Healthcare’s app to stay informed when there’s breaking industry news.
Health systems are increasingly becoming targets of cybercriminals. According to research from Protenus, a healthcare compliance company in Baltimore, there were 905 reported health data breaches in 2021, up 19% from 758 the year before.
In Chicago, Duly Health & Care, formerly known as DuPage Medical Group, reported a data breach in 2021 that affected more than 600,000 patients. In 2019, Rush disclosed a data breach that exposed 45,000 people.
More recently, local health systems have also dealt with patient data breaches after using internet tracking technologies from companies such as Google and Facebook, Meta’s parent company, which help systems healthcare systems that collect detailed information about how patients and others interact with their websites. Advocate Aurora Health, Northwestern Medicine and Rush System for Health have each been sued over this issue.
This story first appeared in Crain’s Chicago Business.
