Three home health and hospice agencies were among 164 CommonSpirit Health facilities that were affected by a ransomware attack last October, according to a new report in HIPAA Journal.
The report said Fargo, ND-based CHI Health at Home, Ohio-based Trinity Home Health and Tacoma, WA-based Franciscan Hospice & Palliative Care were victims of the attack between Sept. 16 and Oct. 3, 2022. A forensic investigation found unauthorized individuals had access to patient information and had stolen some patient data. The data contained patient names, addresses, birth dates, phone numbers, email addresses, dates of service, medical record numbers, healthcare provider names, diagnosis/treatment information, medical billing and claims information, health insurance information and Social Security numbers.
In December, the Catholic-owned health system reported to the Department of Health and Human Services Office of Civil Rights that more than 623,000 people were affected by the ransomware attack. CommonSpirit Health has not updated the number since then. CommonSpirit Health operates 2,200 care sites, including hospitals, critical access facilities and home health agencies and hospices.
Healthcare and public health were the top targets of ransomware attacks last year, according to a recent report by the Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3). The center received 870 complaints in 2022 that resulted in approximately $7 billion in losses. A similar report by the Theft Research Center earlier this year also named healthcare as a top target of cyber attackers. Healthcare accounted for nearly 20% of data breaches, according to that report.
Home care providers have been among the sector’s targets. In January, Home Care Providers of Texas filed a notice with the Texas attorney general’s office reporting that hackers encrypted and removed files from its computer network, compromising the financial information of 124,000 patients. Last fall, Aveanna Healthcare paid a $425,000 fine to the Massachusetts attorney general’s office for failing to protect the personal information of patients and employees from phishing attacks.
