Ransomware attack confirmed at MercyOne's parent company, CommonSpirit Health

One of the largest hospital chains in the country has confirmed a ransomware attack has caused hospital-wide outages across multiple health systems this month, including facilities in Iowa.

Certain systems, including online patient portals and electronic health records, have been taken offline for more than a week at MercyOne facilities following the cybersecurity breach at CommonSpirit Health. Other hospitals across the country, including those in Nebraska, Tennessee and Washington, are also facing disruptions.

CommonSpirit, the Chicago-based nonprofit health care system that operates 140 hospitals in 21 states, said in a statement it took "immediate steps" to protect its systems and contain the incident once the ransomware attack was detected. Officials said they notified law enforcement and have engaged with "leading cybersecurity specialists."

"We continue to conduct a thorough forensics investigation and review of our systems and will also seek to determine if there are any data impacts as part of that process," the statement said.


More:3-year-old given too much pain medication after cyberattack shut down MercyOne computers, parents say

MercyOne Central Iowa region officials said in a statement that information systems were affected as part of the cyberattack on CommonSpirit Health, but declined to offer more details.

It's unclear whether ransomware successfully invaded MercyOne Des Moines Medical Center's computer systems and other affiliated care sites, which have been offline since Oct. 3. Officials would only say last week that systems were taken offline "as a precautionary step."

Health care providers are required by law to notify the federal Department of Health and Human Services if a breach has compromised the private information of 500 or more patients.

It's unclear how many hospitals invaded by ransomware

Ransomware is software used by hackers to steal data and encrypt an organization's computer systems, blocking access until the hackers' demands for a ransom fee are met. These cyber criminals can be inside an organization's network for weeks, or even months, before they strike.

CommonHealth Spirit did not provide details on the number of facilities within its chain that were hit by the attack.

In some cases, organizations are able to detect the malicious software before it encrypts is systems. However, in CommonSpirit's case, it's more likely that ransomware had already attacked its system, said Brett Callow, a threat analyst with Emsisoft, a cybersecurity provider.

"My guess would be based on amount of time systems have been out of action, there actually was some encryption," he said. "But that's a guess."

Responding to ransomware is a complex and time-consuming process, and it can often take health care systems weeks to fully recover. However, in the past, hospitals have been able to bring their most important systems back online "fairly quickly," Callow said.

"But what happened in the past can't necessarily be assumed to happen in future incidents," he said.

More details emerging on other impacts to patient care

Other Iowa-based hospitals affected include CHI Health-Iowa, which operates facilities in Council Bluffs, Missouri Valley and Corning.

A banner displayed on CHI Health's website provided further insight on the scope of the issue, stating providers are following offline processes to manage prescription medications for patients. Officials note Iowa law allows for handwritten prescriptions "in emergency situations."

MercyOne officials said all care locations are open and are able to serve all patients' health needs "with some disruption to normal operations."

"MercyOne is working with CommonSpirit to resolve the issues as soon as possible," officials said in a statement. "We are grateful to our colleagues and physicians, who are doing everything possible to minimize the impact to our patients. We take our responsibility to our patients very seriously. Our team is committed to ensuring safe, quality care for our patients and community."

Ransomware attacks are historically known to cause major disruptions to patient care, often leading to delayed procedures, canceled appointments and diverted ambulances. It's unclear how many patients nationwide are affected by this ransomware attack, but ripple effects have been felt locally.

One Urbandale family told the Des Moines Register their 3-year-old son was given a "megadose" of pain medication much too large for his age and size when he was admitted to MercyOne hospital last week. Kelley Parsi, the child's mother, said the only explanation she was given was that the mistake was caused by the downed computer system.

That appears to be the case in this scenario as well, with news outlets nationwide reporting on patients who have faced disrupted care due to offline systems.

That can have serious consequences for patient health. A report published last year by the Ponemon Institute found that about one in four health care organizations reported an increase in mortality rates following a ransomware attack.

"The biggest concern has to be what impacts this will have on patient care and outcomes, both in the short and long term," Callow said. "Health systems are already under a massive amount of stress ― some beyond the breaking point ― and adding a cyberattack into the midst is going to create an enormous challenge for them."

So far this year, 18 health systems nationwide have been hit by ransomware attacks, with data stolen in at least 13 of those cases, Callow said.

There were at least 168 ransomware attacks against health care organizations in 2020 and 2021, affecting more than 1,700 clinics, hospitals and other health care settings across the country, according to Pew Charitable Trusts.

In 2018, most ransomware victims were small businesses, and the average ransom demand was $5,000, Callow said.

The situation has changed drastically since then, Callow said. Hackers are targeting local governments, public school districts and other major sectors, in addition to health care, demanding upwards of tens of millions of dollars in ransom.

That's on top of the major financial toll these attacks can take on hospitals. A 2021 attack on California-based Scripps Health cost the system $112.7 million, mostly in lost revenue.

"What it really highlights is that governments didn’t take enough action sooner to deal with this problem, and it has spiraled. The attackers are now better resourced and motivated than ever have been," Callow said.

Michaela Ramm covers health care for the Des Moines Register. She can be reached at, at (319) 339-7354 or on Twitter at @Michaela_Ramm.

This article originally appeared on Des Moines Register: MercyOne hospital's parent company confirms ransomware attack