CommonSpirit hospital patients, providers face delays from 'IT security incident'

Josh Farley
Kitsap Sun
St. Michael Medical Center in Silverdale in October 2020.

For several days, an outage of electronic health records spurred by an "IT security incident" has crippled the operations of more than 140 medical facilities in 21 states managed by CommonSpirit Health System, the second-largest nonprofit hospital chain in the country. 

Among the company's locations are St. Anthony Hospital in Pendleton and Mercy Health in Roseburg.

Appointments have been canceled, ambulances diverted and even critical procedures delayed, according to patients and their families across the nation.

One Washington couple said they've been denied a planned CT scan to check on a life-threatening brain bleed because of the outage and have been unable to contact healthcare providers to reschedule. 

"My husband is in limbo with a potentially very serious neurological condition," said the man's wife, who requested their names be withheld as they're dependent on the hospital for care. "If the brain bleed continues, there can be dire consequences to brain function and to life itself."

In Iowa, the Des Moines Register reported a hospital had shut down some of its information technology systems, including electronic health records "as a precautionary step." It also diverted ambulances to other medical facilities.

CommonSpirit has not disclosed whether the massive outage of the electronic health records systems is a ransomware attack, where hackers use malicious software to hold hostage a computer system, usually until demands are met — such as a cash payout. It's also unclear if patient data has been compromised. 

Though the cause is not publicly known, statistically, it's the most likely cause, according to Brett Callow, an analyst with New Zealand-based Emsisoft, a cybersecurity firm. 

"The big question is how much the attack progressed," Callow said. "Whether they stopped it early or if a whole bunch of systems have been compromised that could affect them for months." 

At least 61 hospitals have been impacted by ransomware so far in 2022, according to Emsisoft

Callow recommends those with accounts at the hospitals within CommonSpirit begin to check them for signs of fraudulent activity, as a way of erring on the side of caution if it is ransomware. 

As required by law, CommonSpirit has 60 days to notify the federal Department of Health and Human Services for breaches affecting 500 or more people if information was indeed compromised in an attack.

Already, the outage is leading to big headaches for patients, families and healthcare providers. When Melinda Krieger took her sister to the doctor for a worrisome mass in her stomach Tuesday morning, staff there weren't even aware she had an appointment. 

Her sister was still able to see the doctor at a clinic in East Bremerton, Washington. But he couldn't put in a referral for a CT scan or authorize the procedure through insurance.

"They can't put anything in the computer," said Krieger, a Seabeck resident. 

Medical providers have shifted to a makeshift paper system of record-keeping and using phones to connect with other providers and insurance companies. Kreiger and her sister were advised by the doctor to head to the emergency room at St. Michael Medical Center, which has been plagued by chronic understaffing.

"It was packed," said Krieger, who took her sister to St. Anthony Hospital in Gig Harbor, also a VMFH facility, after witnessing the crowding. 

Inside, Krieger was able to get her sister in for the scan, but noticed growing stacks of paper behind the front desk counter, including on the floor, where staff appeared to be keeping ever-growing amounts of patient information that couldn't be logged online.  

"And once we get the results, we'll carry them by hand to the doctor in Bremerton," Krieger said.

The Statesman Journal contributed to this article.