$100 Million awarded Since 1994 6,000 Satisfied Clients

Posted On April 12, 2023 Consumer Privacy & Data Breaches

Data Breach at CommonSpirit Health

NOTICE: If you received a NOTICE OF DATA BREACH letter from CommonSpirit Health, contact the attorneys at Console & Associates at (866) 778-5500 to discuss your legal options, or submit a confidential Case Evaluation form here.

Data Breach AlertApril 12 – After discovering that over 623,000 people’s personal information had been exposed by a ransomware attack, CommonSpirit Health, on April 6, 2023, notified the Montana Attorney General of the breach. According to the formal report filed by the business, the event led to the exposure of consumers’ personal information, including names, birth dates, addresses, email addresses, telephone numbers, Social Security numbers, and protected health information. CommonSpirit began distributing data breach notification letters to all persons affected by the recent data security incident after it was confirmed that customer data was compromised.

Data breach lawyers at Console & Associates, P.C. are currently looking into the incident at CommonSpirit Health. If you have received a letter from CommonSpirit Health, you should be aware that your personal information may be at risk of being used fraudulently or stolen if you are not careful. We’re happy to talk to you for free about the data breach, the steps you can take to protect yourself, and whether or not you have legal grounds to sue CommonSpirit Health.

About CommonSpirit Health

Dignity Health and Catholic Health Initiatives merged to form CommonSpirit Health, a non-profit Catholic healthcare network. CommonSpirit, headquartered in Chicago, Illinois, manages over a thousand healthcare locations across 21 states. CommonSpirit Health, founded in 2019, is responsible for the income of roughly $34 billion and the employment of more than 150,000 people.

Information About the CommonSpirit Health Breach

On October 2, 2022, CommonSpirit discovered that a ransomware attack had recently occurred against its IT network, as stated in a complaint filed with the Attorney General of Montana and a statement published on the company’s website. CommonSpirit’s response was to tighten security throughout its network and consult outside forensic experts to figure out what happened.

According to the findings of the CommonSpirit investigation, an outsider breached the company’s IT network between September 16 and October 3, 2022. More than 623,000 people’s private information was found to have been exposed.

CommonSpirit Health has begun reviewing the affected files to identify what information was hacked and who was affected following the discovery that sensitive customer data was made available to an unauthorized entity. As of the 21st of February, 2023, CommonSprite had finished this procedure. Information such as names, dates of birth, addresses, email addresses, phone numbers, Social Security numbers, and protected health information may have been compromised.

Data breach letters were sent out by CommonSpirit Health on April 6, 2023, to everyone whose personal information was exposed in the data leak.

What Can Possibly Happen if Your Protected Health Information Gets Out?

Although it might not appear like much is at stake at first look, a patient’s protected health information contains a lot of sensitive information.

Protected health information (PHI) is specified by 18 identifiers in the Health Insurance Portability and Accountability Act of 1996. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) only protects some types of health information. All PHI is tagged and managed thanks to HIPAA (PHI). “Privacy Rule” states that PHI is:

  • Name;
  • Less-than-state-level geographic places (such as a street address, city, county, zip code, etc.);
  • Any dates related to a patient that are more specific than a year, date of birth, date of death, date of discharge, etc.;
  • Numbers for:
    • Social security number;
    • Phone;
    • Medical record;
    • Certificate and license;
    • Account; and
    • Health plan beneficiary;
  • Email address;
  • Device identifiers;
  • Vehicle identifiers, like license plate numbers;
  • Fax number;
  • Internet protocol (IP) address;
  • Web URL;
  • Biometric IDs, such as a fingerprint or voice print;
  • Full-face photographs and other photos of identifying characteristics; and
  • Any other unique identifying characteristic.


Criminals may now perform medical ID theft with this data. That means hackers or criminals who purchase your information on the dark web can use it to gain access to free medical treatment in your name. This might lead to potentially harmful errors in your medical record, such as a lack of information about your health or the presence of diagnoses and medications that do not belong to you. A significant medical expenditure for unnecessary care is another possible outcome. The quality of treatment you receive the next time you see a doctor may be affected by these factors.

If You Have Been Affected by CommonSpirit Health Data Breach, Console & Associates, P.C. Can Help

The consumer privacy lawyers at Console & Associates, P.C. help customers affected by data and security breaches pursue legal solutions by offering free consultations. By explaining your rights in clear, concise terms, we help you make an informed decision about your next steps. If you are a victim of the CommonSpirit Health data breach, Console & Associates, P.C. will investigate at no charge to you and offer advice on how to proceed. If you decide to pursue a case, rest assured that we don’t get paid unless you do. If your claim is successful, legal fees are either paid out of the funds recovered or by the defendant. If your claim is not successful, you pay nothing.

To schedule your free consultation, just call (866) 778-5500 today or fill out our secure contact form.

Below is a portion of the notice posted on their website:

CommonSpirit Health and its affiliated entities (“CommonSpirit”) take the protection and proper use of personal information very seriously. Regrettably, CommonSpirit experienced a ransomware event that impacted some personal information. While CommonSpirit has no evidence of misuse of the personal information as a result of the incident, this notice is to explain the incident, our response to it, and steps one can take to protect personal information.

CommonSpirit Health is the parent organization to Catholic Health Initiatives and Dignity Health facilities. CommonSpirit Health also is or has been associated with Centura Health and MercyOne (Iowa).  Not all CommonSpirit Health locations were involved in this incident. A list of locations whose data may have been involved can be found here.

What happened?

On October 2, 2022, CommonSpirit detected a ransomware attack on its IT network. CommonSpirit immediately took steps to secure the network, which included proactively taking some systems offline, and began an investigation with the assistance of an external forensics vendor. The investigation determined that an unauthorized third party gained access to the network between September 16, 2022 and October 3, 2022. While the unauthorized third party did not retrieve data directly from CommonSpirit’s Electronic Medical Records systems, during that time, the unauthorized third party obtained copies of some of the data on our systems, including files from two file share servers that contained some individuals’ information. CommonSpirit had used the data on the file share servers in performing various operational functions, and some of the data dates back several years. With respect to the data on the file share servers, determining what and whose data was impacted has required a detailed and time-consuming review of each individual file on each file server to identify the specific individuals whose information may have been impacted, and the type of information associated with each such individual. The initial phase of this part of the investigation was completed on February 21, 2023.  Once this component of the review concluded, we worked to identify, when possible, the current and past CommonSpirit location(s) associated with the data.   We then worked to identify accurate address information to provide notice to potentially affected individuals and only recently completed these efforts.

What information was involved.

The individuals included in this notification are those whose information was identified on the file share servers.

The information in the files included demographics such as name, address, date of birth, phone number(s), email address, as well as medical information such as dates of service, medical record number, healthcare provider’s name, diagnosis/treatment information, medical billing/claims information, patient’s facility associated account/encounter number, and health insurance information. For a small number of individuals, Social Security Number was also involved.

What we are doing.

Upon discovering the ransomware attack, CommonSpirit quickly mobilized to protect its systems, contain the incident, begin an investigation, and maintain continuity of care.  In addition, CommonSpirit notified law enforcement.  Once secured, systems were returned to the network with additional security and monitoring tools.  CommonSpirit began notifying individuals impacted by the file share server data by US. Mail on April 6, 2023.

What you can do.

Though CommonSpirit has no evidence that the information has been misused as a result of this event, it is always prudent to review health care statements for accuracy and report any services or charges that were not incurred to the provider or insurance carrier.

For more information.

If you need more information about this event, we have retained Kroll, a trusted third party partner, to manage a call center that can answer specific questions about this event. To contact Kroll, please call 1-866-869-0312, Monday through Friday from 8:00 a.m. to 5:30 p.m. Central Time excluding U.S. holidays.

NOTICE: If you received a NOTICE OF DATA BREACH letter from CommonSpirit Health, contact the attorneys at Console & Associates at (866) 778-5500 to discuss your legal options, or submit a confidential Case Evaluation form here.