Local patient data breached in recent VMFH ransomware attack. Here’s what we know
The parent company of a local health system announced Thursday that an October ransomware attack, which crippled access to electronic records for weeks, breached certain local records.
CommonSpirit, in its update, said its investigation “shows that the unauthorized third party gained access to certain files, including files that contained personal information.”
While it continues its review, the company said it “identified that some of these files contained personal information for individuals who may have received services in the past, or affiliates of those individuals, from Franciscan Medical Group and/or Franciscan Health in Washington state.”
It added, “CommonSpirit Health has no evidence that any personal information has been misused as a result of the incident. We are notifying individuals whose personal information was in those files.”
CommonSpirit is the parent company of Virginia Mason Franciscan Health, which has facilities across the Puget Sound region, including King, Kitsap and Pierce counties.
Letters were being sent to individuals starting Thursday, it noted in an FAQ.
Sites included in the breach alert include St. Michael Medical Center (formerly Harrison Hospital) in Silverdale, St. Anne Hospital (formerly Highline Hospital) in Burien, St. Anthony Hospital in Gig Harbor, St. Clare Hospital in Lakewood, St. Elizabeth Hospital in Enumclaw, St. Francis Hospital in Federal Way and St. Joseph Medical Center in Tacoma, as well as physician clinics associated with Franciscan Health.
“The investigation determined that an unauthorized third party gained access to certain portions of CommonSpirit’s network between September 16, 2022 and October 3, 2022,” according to the company.
The ransomware attack, which the company said was first detected Oct. 2, forced area clinics and hospitals in the VMFH network to operate without electronic medical records, including the MyChart patient portal. The disruption led to canceled appointments for some patients and rescheduled surgeries for others.
The company said, “We identified that the information in some of the files related to patients, family members of patients, or caregivers of patients and included: Name, address, phone number(s), date of birth, and a unique ID used only internally by the organization (not the Medical Record Number or insurance ID).”
The investigation, also involving law enforcement, is ongoing, the company added.
It recommended that patients review health care statements for accuracy “and report any services or charges that were not incurred to the provider or insurance carrier.”
There is a call center in place for those seeking further assistance: 855-504-2738, operating Monday through Friday from 7:00 a.m. to 4:30 p.m. Pacific time, excluding U.S. holidays.
An online FAQ is available at commonspirit.org/update/notice-of-data-security-incident.
