ChatGPTs Summary: In this episode of Health IT, Bill Russell discusses the Common Spirit data breach that affected more than 600,000 patients across 100+ facilities in at least 13 states. The nationwide Catholic healthcare chain detected the ransomware attack in October and suffered a loss of $150 million, which includes revenue loss and the cost of remedying the issue. Information leaked during the breach includes names, addresses, birthdays, contact information, medical information, billing information, and social security numbers. Common Spirit has no evidence of misuse of the leaked personal information. Russell suggests using this article as an educational tool for boards, identifying and mitigating key areas of risk, updating architecture and tools to adapt to system expansions, and exploring tools like CrowdStrike and PHI Locator to enhance security.
today in Health it we're gonna break down the Common Spirit data breach. My name is Bill Russell. I'm a former CIO for a 16 hospital system and creator of this week Health, A set of channels dedicated to keeping health IT staff current and engaged. We wanna thank our show sponsors who are investing in developing the next generation of health.
Short test and Artis site. Check them out at this week. health.com/today, having a child with cancer is one of the most painful and difficult situations a family can face in 2023. In celebration of our five years of this week health, we are working to give back. We are partnering with Alex's Lemonade stand all year long.
We have a goal to raise $50,000 from our community, and we've already raised, I, I keep getting this number wrong. It's actually $29,000 this year. , we are so excited and so grateful for all of you who have participated. , we ask you to join us, hit our. Top banner, you'll see a logo with Alex's Lemonade stand.
Click on that, , to give today. And, , hopefully you'll participate in our hymns. , captain Captain's Cures for Childhood Cancer Campaign. Get your picture taken with Captain while you're there. Everybody in the picture, we give $1. To Alex's lemonade stand and the fight to find cures for childhood cancer.
So please, if you're at hymns, please participate in the program. Love to have you be a part of it. We believe in the generosity of our community, and we thank you in advance. All right. So this has been out for a little while. Let's see, when did this come out? April 10th. And it details the Common Spirit Data breach.
And I wanted to get back to this because when this was going on, we had so little information. , they, common Spirit, I believe was caught pretty flatfooted on this one. , didn't really have a, a great communication plan, didn't. , it really just, I don't know, there was a lot of confusion. , people were showing up at the hospital not knowing what's going on and that kind of stuff, and that's indicative of an organization that just didn't have an, an overarching plan, , from end to end.
And I'm sure that that's being put in place today. As is usually the case following a breach. , plus I think with Daniel Barchi there, I think they're, , pretty much getting on top of this as we speak, if not have already gotten on top of it. So let, let me give you some of the details. Common Spirit Health, the nationwide Catholic healthcare chain revealed additional details around the impact of the data breach late last year that affected more than 600,000 patients.
The health system disclosed a list of more than a hundred facilities across at least 13 states, which is a lot more than I reported. A lot more than we knew at the time. By the way, , common Spirit detected the ransomware attack in October. The health system also said that about 50 more home care services locations were also included in the breach.
Common Spirit and media reports disclosed some facilities and states affected at the time, at the time of the breach, but the full extent was unknown until now. Cranes previously reported to the facilities in Iowa, Nebraska, Tennessee, Washington, were among those affected. But according to Common Spirits Disclosure, facilities and services in Arkansas, Georgia, Indiana, Kansas, Kentucky, Minnesota, New Jersey, North Dakota, Ohio, Oregon, Pennsylvania, and Texas were also included.
It's a big health. Wow. , although Common Spirit is headquartered in Chicago, it doesn't have any hospitals in Chicago. The health system is a parent organization of Catholic Health Initiatives, dignity Health, and is, or has been associated with Centura Health and Mercy One facilities of which we're among those in the breach altogether.
Common Spirit operates about 140 hospitals in a thousand sites across the US in 20 states. And here's the number. Okay. According to Common Fair's, most recent quarterly financial statement, the data breach cost the organization about 150 million, which includes loss revenue from the interruption to business and cost to remedy the issue.
I, that's not the final number, by the way. There's no way. , the breach at Scripps was about 120 million. , even if you, , look at it as that was what was lost, there's gonna be an awful lot of investment that needs to happen. , between now and, I don't know, let's just say 18 months post breach. It's gonna drive that number up pretty significantly, which isn't technically a result of the breach, but it's, it's prioritizing the investments.
In, , security as a result of the breach. So that number, , still could go a little bit higher, but it will not show up in this number. It'll show up more in an increase in capital spend around security items and potentially some operating spend, as well as they start to do tabletop exercises and other things.
Anyway, information leaked during the breach, includes names, addresses, birthdays, contact information, and medical information. Additionally, Billing information and social security numbers were also involved in a statement. Common Spirit said it has no evidence that personal information. Leaked is being misused, and that is likely true, but, , they took it for a reason.
And you know, this is why we have identity protection and other things because you, you don't know when it's gonna be used or how it's gonna be used. , although, you know, the, the data doesn't get better with age. It only gets worse with age. So whoever has it, , will likely try to use it, , soon, , to either breach a, an individual's.
, credit, which, let's see, what were the, what's the information that was leaked? Names, addresses, birthdays, contact information and medical information. , I mean, and social security numbers also. So there's a fair amount of what's needed in order to reach somebody's, , , personal information and their identity.
So, Again, you have to be, if you're a part of Common Spirit or visited a Common Spirit health system, , you'll probably be notified and, , want to take the necessary actions. , though Common Spirit has no evidence, I already said that Common Spirit ha began notifying, impacted individuals at each facility by mail.
April 6th. , based on the Office of Civil Rights, , 623,700 people were affected. County Spirit did not immediately respond to the request. Seeking further information to today, they first reported the breach, so forth and so on. , and Common Spirit was hit with a class action lawsuit, which is pretty common in these as well.
That's, , you know, a couple of key things in here. The number of patients impacted, I think is important number to know if you're a cybersecurity professional, number of facilities states, , you know, again, 140 hospital, 140 hospitals, a thousand sites, 20 states, 640,000 patient records, and they're reporting 150, , let's see, 150.
On the, , cost of the breach. So those are the important numbers to, , to remember and to know. So, you know, how would I use this if I were a CISO or a CIO today? One is I would absolutely get this Modern Healthcare article and make sure that everybody on my board read it and understood the risks associated with it.
, again, I think it's cliche to go and say, Hey, common Spirit lost 150. , that's what we could potentially lose or whatever. , I mean, you could do the math and figure out their scale to your scale number of patients and about how much you would lose and the reputational risk and all those things. But hopefully you've already done that.
Hopefully you have a framework you've put in front of your board and you're walking them through that you're educating them. This is just more education. This is a piece of education to move along. , what I would be doing as a CIO in CISO would be identifying our areas of greatest risk. Identifying the investments in both personnel and, , technology as well as education and other things, , to make sure that we are mitigating those key, , areas of risk.
, moving forward, I would try to, , again, , , I would know. I, I would have the plan in place, understand the communication that needs to happen, have prioritized your applications for restoration. I would have built a sandbox before you get into a, , a ransomware situation so that you could start recovering.
I would protect your ad. That is what they're trying to hammer right out of the chute. If they can get to your ad, they're gonna get to everything. So you got, you have to protect your ad. I know we think a lot about the, eh, , but we have a lot of controls around the ehr. If data starts moving outta the ehr, we generally know about it.
, they, but if they have, , proper access to the data, then it becomes really hard. So, , and I would also look at, , some of the newer tools that are coming out are just much more sophisticated in terms of knowing, you know, what information's moving, where it's moving to. , I like the CrowdStrike solution.
I like the tower site solution. I. You know, modernize your stack as you're moving, moving forward. It's not all about technology. I know that's, you know, CISOs tell me that all the time, you know, don't pick the technology first. But in a lot of cases, they're, you know, CrowdStrike, it's crowd sourcing.
Security and I like that model. It, it's, it's one in which everything that affects the entire community gets reported back and you get more, , you get stronger and stronger. The reason I like the Tao site solution is because it identifies where your PHI is. They have a new, , solution called fill. , , personal health locator, I think it is.
And you can point the tool and it's a free tool. You can point the tool at a data store and say, tell me what pH I is out there, and it'll identify that physician that put the, you know, You know, couple hundred gig of , PHI data into a share drive that you're not familiar with right now. That's important information to have cuz that's the kind of stuff that gets breached.
You have a little fishing campaign that goes on, all of a sudden that person's breached. They go, they find those records, they pull that out, and all of a sudden now even those records could be 10 years old. No one even knows. , but that's because you haven't used the tools that are available to you to find them.
So, , just some of the things I would be doing. Continue your path. Get a framework in place. Continue to educate your board. Use this article as part of the education of the board. Identify your risk. , your, your key areas of risk. Always know what those are. Constantly be assessing those, your threat vectors and as your system expands, , continue to update your architecture and your tools to adapt to that.
So I think that's all for today, and that's probably enough for today. So there you have it. , if you know of someone that might benefit from our channel, please forward them a note. They can subscribe on our website this week. Health dot. Or wherever you listen to podcasts. Apple, Google, overcast, Spotify, Stitcher.
You get the picture. We are everywhere or we're trying to be. We wanna thank our channel sponsors who are investing in our mission to develop the next generation of health leaders. Sure. Test and 📍 art site. Check them out at this week, health.com/today. Thanks for listening. That's all for now.