CommonSpirit Health has told regulators that the protected health information of more than 623,700 people was comprised in a ransomware attack first announced in October.
The health system reported the breach on Dec. 1 to the HHS, according to an online breach portal. The breach is now under investigation by HHS Office for Civil Rights.
Providers are required to notify the HHS when breaches occur. If a breach affects more than 500 people, providers are required to tell the department within 60 days following the incident.
The system said attackers gained access to portions of its network between Sept. 16 and Oct. 3, specifically affecting people who may have received services from certain facilities of Virginia Mason Franciscan Health, a CommonSpirit entity.
The attack may have exposed more than just patients. CommonSpirit said the information of family members and caregivers may have been accessed as well.
CommonSpirit said the ransomware attackers gained access to some files that contained names, addresses, phone numbers, birth dates and a unique ID used internally.
In a previous statement the health system said it has “no evidence that any personal information has been misused as a result of the incident.”
CommonSpirit is one of the nation’s largest health systems with 142 hospitals spanning 21 states. It is based in Chicago.