The October hack of CommonSpirit Health reportedly led to medication errors, delayed life-saving cancer surgery, and diverted ambulances. The nonprofit is believed to have paid the attackers ransom to protect patients’ lives.
Last month, hackers breached the network of CommonSpirit Health, the second-largest nonprofit hospital chain in the US, with 140 hospitals and over 1,000 care sites.
In an exclusive report analyzing the incident, the Daily Mail reveals that the crippling ransomware attack led to the pain medication overdose of a 3-year-old boy in Iowa. The incident also delayed critical scans and surgery, with experts telling the news outlet that patients’ lives were put at risk.
And in Washington a man was denied a planned CT scan to monitor a life-threatening brain bleed. Another patient in Washington reportedly had the removal of a cancerous tumor on her tongue delayed.
People who said they work at impacted hospitals across the US took to Reddit to vent, with some admitting that the situation led to “terrible and unsafe” care on their end.
As reported on this blog in October, in a desperate plea for help, a nurse at St. Michael Medical Center called 911 to ask for help, saying she and her fellow nurses were “drowning” in patients with too few hands on deck to assist everyone.
Also last month, a parent whose daughter claimed to be a nurse at a CommonSpirit hospital told The Register that the facility had patients on dialysis machines without current lab reports. The person also said IV medications from the pharmacy had hand-written labels “without correct order information.”
"Most of the nursing staff is unfamiliar with doing paper charting and handwritten information leads to errors," they added.
In a recent update, CommonSpirit said the "majority" of providers operating under its umbrella have access to patient electronic health records.
As the hospitals slowly recover, concerns remain about the potential leak of sensitive medical records belonging to some 20 million Americans who are registered with CommonSpirit.
Shortly after the incident became public, the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) released a joint advisory to say that the ‘Daixin Team,’ a cybercrime group actively targeting US entities, was eyeing mainly the healthcare and public health (HPH) sector with ransomware and data extortion operations.
According to the advisory, the Daixin Team deploys ransomware to encrypt servers responsible for healthcare services—including electronic health record services, diagnostics services, imaging services, and intranet services, and exfiltrate personally identifiable information (PII) and patient health information (PHI), all to threaten to release that data if a ransom is not paid.
Databreaches.net’s Dissent Doe, a healthcare professional who covers cyber-attacks on the health sector, told the Daily Mail that, “While Daixin Team wouldn’t directly confirm involvement in the CommonSpirit attack or receipt of any ransom, all signs point to ransom having been paid – not the least of which is that if CommonSpirit hadn't paid, some group would have publicly claimed responsibility and started leaking data to put pressure on them.”