‘IT security issue’ impacts multiple hospitals across several states

In a statement CommonSpirit Health says it has taken certain systems offline as a precaution.
(David Sacks/Getty Images)

A healthcare network that includes 140 hospitals and more than 1,000 facilities in 21 states is working through an “IT security issue.”

In a statement posted Tuesday to its website, Chicago-headquartered nonprofit CommonSpirit Health said: “CommonSpirit Health is managing an IT security issue that is impacting some of our facilities. As a precautionary step, we have taken certain IT systems offline, which may include electronic health record and other systems.”

The incident began Oct. 3 and has affected hospitals in Iowa, Nebraska and Washington, according to local news reports in those areas. The reports from Iowa and Washington noted that patients were at least temporarily diverted from impacted hospitals to neighboring facilities. The company’s statement said it had “rescheduled some patient appointments” as a result of the situation.

It’s not clear how many of the company’s facilities have been impacted, or whether it was a ransomware attack. A company spokesperson did not immediately respond to a request for comment.


Earlier this month on Oct. 3, the 911 emergency system in Douglas County, Neb., suffered its own ransomware incident. That county is home to one of the impacted health facilities, CHI Health in Omaha, Neb. Kyle Kramer, the county’s technical manager, told CyberScoop that there’s no indication that the incidents were related.

Reports online claimed that Epic Systems Corp., a healthcare-related software developer, had been targeted in the attack. CommonSpirit Health is a customer of Epic and the situation does not involve Epic, an Epic spokesperson told CyberScoop Wednesday.

At least 15 health systems in the U.S., operating 61 hospitals, have been impacted by ransomware in 2022, said Brett Callow, a threat analyst with cybersecurity firm Emsisoft. That’s just shy of the 68 providers impacted by ransomware in 2021, and the 80 in 2020, according to Emsisoft tracking data.

“The health sector has been dealing with a barrage of financially motivated cyberattacks for the last few years and, unfortunately, it doesn’t appear that they’ll be ceasing any time soon,” Callow told CyberScoop Wednesday. “While governments and law enforcement agencies are having more successes, I think it’ll be a very long time before the war is close to being won.”

Latest Podcasts