Catholic health system and nonprofit hospital chain CommonSpirit Health has said that a ransomware attack it suffered in October 2022 cost the company US$160 million.
Ransomware attacks against healthcare companies are becoming all too common, with one in 42 healthcare organizations worldwide being the victim of ransomware attacks in the final quarter of 2022. With the average cost of a ransomware attack in the US reaching $9.44mn in 2022, the impact of these cyber attacks can be widespread and devastating.
The ransomware attack occurred on October 2, 2022, and forced CommonSpirit Health to take its systems offline, impacting more than 100 CommonSpirit facilities across the United States. During the attack, the personal data of more than 623,700 patients was exposed.
Following a forensic investigation into the cyber attack, it was discovered that malicious actors first gained unauthorized access to CommonSpirit’s network on September 16, 2022. The hackers were removed on October 3 following the discovery of cyber security incident.
The attack was initially thought to have cost the company $150mn, however on May 25, 2023, CommonSpirit updated their estimate to $160mn. The healthcare organization cited business interruption, remediating costs and other expenses relating to the business as the reason for the cost.
CommonSpirit is facing two class action lawsuits related to the ransomware attack. Both lawsuits, which were filed with the US District Court for the Northern District of Illinois and in Washington state, allege that CommonSpirit was negligent and failed to implement appropriate cyber security safety measures, leading to the exposure of confidential information.
Related articles
Learn more about ransomware and cyber attacks against medical organizations by reading the following resources:
- The ultimate guide to malware
- A full timeline of the Medibank data breach
- Hundreds of members of congress affected by healthcare provider breach
- A guide to the Optus data breach