Catholic Health Initiatives hit by data breach

Published 2:20 pm Monday, April 17, 2023

Getting your Trinity Audio player ready...

Kentucky is one of 13 states with hospitals that have been affected by a ransomware attack on the CommonSpirit health-care system, which is the parent organization of Catholic Health Initiatives in Kentucky.

Mary Branham, spokesperson for CHI Saint Joseph Health, said in an email that it started the notification process about this data breach in December, even as the review of the files was ongoing.

“We have completed the review and identified additional current and past CommonSpirit locations associated with the data,” Branham wrote. “Beginning in April 2023, we issued our last anticipated notification to potentially impacted individuals.”

Email newsletter signup

According to an April 6 CommonSpirit update, these Kentucky facilities were included in the ransomware event: Flaget Memorial Hospital, Bardstown; Saint Joseph Hospital, Lexington, Nicholasville; Saint Joseph Health Community Pharmacy, Lexington; Saint Joseph Berea; Saint Joseph East, Lexington; Saint Joseph London; Saint Joseph Mount Sterling; Saint Joseph Mount Sterling Outpatient Rehab; Saint Joseph Mount Sterling Outpatient Rehab, Flemingsburg; Continuing Care Hospital, Lexington; and CHI Saint Joseph Medical Groups in Central and Eastern Kentucky, as well as Jewish Hospital in Louisville and Saint Joseph Martin in Floyd County, which were formerly part of CHI.

CommonSpirit, which has more than 1,000 care sites and 140 hospitals in 21 states, said the ransomware attack was detected Oct. 2 and an investigation determined an unauthorized third party gained access to the network between Sept. 16 and Oct. 3. The party obtained copies of some data, including two file-share servers containing information on individuals going back several years.

Information in those files included “demographics such as name, address, date of birth, phone number(s), email address, as well as medical information such as dates of service, medical record number, health-care provider’s name, diagnosis/treatment information, medical billing/claims information, patient’s facility associated account/encounter number, and health insurance information,” the update said. “For a small number of individuals, Social Security number was also involved.”

Branham said, “We immediately took steps to secure the network, which included proactively taking certain systems offline, and began an extensive investigation with the assistance of leading external cybersecurity specialists and law enforcement. . . . We have no evidence that this information has been misused.”

That said, the CommonSpirit update advises ongoing caution: “Though CommonSpirit has no evidence that the information has been misused as a result of this event, it is always prudent to review health care statements for accuracy and report any services or charges that were not incurred to the provider or insurance carrier.”

According to CommonSpirit’s most recent quarterly financial statement, the data breach cost the organization about $150 million, which includes lost revenues from the interruption to business and costs to remedy the issue, Modern HealthCare reports. It also reports that the U.S. Department of Health & Human Services Office for Civil Rights reported that more than 623,700 people were affected.