Community First Medical Center Data Breach, AlphV and CommonSpirit Health Ransomware Attack

Community First Medical Center based in Chicago, IL started telling 216,047 patients about a cyberattack that allowed an unauthorized entity to obtain access to its computer system on July 12, 2023. According to the September 26, 2023 breach notification, the forensic investigation affirmed the third party access to patients’ files with PHI on July 28, 2023.

The types of information compromised in the cyberattack varied from person to person and may have included full names, telephone numbers, email addresses, health record numbers, Social Security numbers, and Medicare numbers. Community First Medical Center mentioned it didn’t know about any actual or attempted misuse of patient information; nonetheless, as a safety precaution, people who had their Social Security numbers exposed were given complimentary credit monitoring services. Action has been taken by Community First Medical Center on applying several safety measures prior to the cyberattack to safeguard patient data and it will evaluate and alter its security practices to prevent other data breaches down the road.

Healthcare Providers Posted on AlphV Ransomware Group Posts Data Leak Site

The AlphV ransomware group (also known as BlackCat) has lately stated accountability for attacking two American healthcare companies – MNGI Digestive Health (MNGI) based in Minnesota.

MNGI is a doctor-owned gastroenterology practice that was formerly called Minnesota Gastroenterology. Based on the AlphV listing, MNGI had 48 hours to contact the group or be in danger of the launch of 2+ TB of information that was purportedly stolen in the cyberattack. The group states that the data published will allow patients to have an argument for a class action lawsuit and that violations of sensitive data storage in the company’s repository will likewise be posted.

The group additionally published Pain Care Specialists on its web page and states to have extracted 150 GB of information in the attack. The stolen information purportedly consists of patient and worker health records and additional highly sensitive information. The group additionally states to have acquired access to sites of federal medical regulation web resources, which are employed for handling prescribed medication and giving access to the health records of selected persons. AlphV stated it gave Pain Care Specialists until September 26, 2023, to get in touch with it and settle the payment or suffer the leakage of the stolen information. AlphV likewise threatened to get in touch with patients and associates utilizing the stolen data to tell them about the data theft. Selections of the stolen information were included in the group’s data leak site, though the complete data set is not yet published.

Neither healthcare company has openly confessed to conducting any attack at this point.

Estimate Cost of Ransomware Attack Rises to $160 Million

The Catholic health system, CommonSpirit Health, located in Chicago, IL has submitted a report concerning its operating loss amounting to $1.4 billion for fiscal year 2023. The operating loss reported for fiscal year 2022 is $1.3 billion, which is slightly lower.

The ransomware attack on CommonSpirit Health in October 2022 had a substantial impact on the organization’s financial performance, resulting in a notable $1.4 billion operating loss. This incident severely disrupted their billing and collection operations. CommonSpirit Health’s assessment indicates that the financial repercussions of the attack have now soared to $160 million. This total includes various expenses, such as those incurred for addressing the breach, mitigating its effects, and covering other associated business costs. This updated figure surpasses their earlier estimate from May 2023 by an additional $10 million.

Although the ransomware attack had only a short-term impact on patient services, it caused considerable disruptions in claims processing and collections. The data of 624,000 patients, their family members, and caregivers were compromised during the breach, potentially leading to data theft.

CommonSpirit Health has indicated in the past that it expects its cybersecurity insurance to pay for a substantial portion of the expenses resulting from the cyberattack. However, it did not confirm the extent of coverage or the timeline for insurance payouts. Multiple class-action lawsuits had been filed against CommonSpirit Health in relation to the ransomware incident. These lawsuits assert that the healthcare system failed to stop the attack and the following data breach. One lawsuit alleges that the data of about 1 million patients were exposed during the breach. CommonSpirit Health did not admit to any wrongdoing, yet there is no assurance that these legal proceedings will not impact its financial standing.

Additional factors that added to the operating losses included a scarcity of labor, inflationary pressures, a decrease in patient acuity and reimbursement rates, as well as expenses related to the termination of approximately 2,000 full-time employees in the fourth quarter of 2022. Despite the year-over-year increase in operating losses, CommonSpirit Health managed to achieve a 0.5% growth in revenues compared to 2022, reaching a total of $34.6 billion. Recognizing the challenges posed by labor shortages and inflation that are affecting numerous healthcare providers, CommonSpirit Health is prioritizing projects and opportunities aimed at driving growth, decreasing costs, and improving operational proficiency.

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Mark Wilson

Mark Wilson is a news reporter specializing in information technology cyber security. Mark has contributed to leading publications and spoken at international forums with a focus on cybersecurity threats and the importance of data privacy. Mark is a computer science graduate.