CommonSpirit Health in class-action legal battle over major data breach

by | Jan 4, 2023 | Healthcare Industry News

A Washington state resident has initiated a major lawsuit in a federal court in the state of

Illinois. The complaint, made by Mr Leeroy Perkins, alleges that a Chicago-based healthcare

system neglected to utilize essential data security procedures to keep patient health

information secure. The organization in question is CommonSpirit Health, a large-scale

Chicago based hospital operator that oversees 140 hospitals across twenty-one states in the

United States. The organization places emphasis on individuals who are considered


CommonSpirit uncovered alarming activity on its IT network at the beginning of October

last year. The organization promptly announced a security incident, and soon after

established that ransomware was present. The ransomware was found to be the result of an

unauthorized third party, who had the ability to access specific files, including those

containing personal data. CommonSpirit took action to secure their network, including the

deliberate deactivation of several of their systems, rendering them offline. Following this, an

investigation with the aid of cybersecurity experts commenced. Commonwealth

commented on the incident in a press release, stating the following:

“Upon discovering the ransomware attack, CommonSpirit quickly mobilized to protect its

systems, contain the incident, begin an investigation, and maintain continuity of care. In addition, CommonSpirit notified law enforcement and is supporting their ongoing

investigation. Once secured, systems were returned to the network with additional security

and monitoring tools.”

The ransomware attack targeted the key information of patients, and many personal details

were exposed, including:

 name of patient

 home address of patient

 telephone number

 date of birth

 unique patient ID used by CommonSpirit

The federal complaint requested both declaratory and injunctive relief, in addition to a

class-action status, a payment for damages incurred, and restitution. Perkins was a patient

at Virginia Mason Franciscan Health, a facility that falls under the CommonSpirit health

system. Perkins is currently represented by Lynch Carpenter, a law firm based in Pittsburgh,

Pennsylvania. The lawsuit against CommonSpirit also alleges a delayed notification of

victims whose data had been compromised. In the filing, it is stated that the unauthorized

access was discovered in early October, yet the defendant did not begin notifying those

affected until two months following the discovery. This delay in communication is cited as a

violation of the federal Health Insurance Portability and Accountability Act (HIPAA).

According to the suit, the affiliates of CommonSpirit Health have also encountered issues

within their everyday operations. These problems involve difficulty in the creation of patient

appointments and inappropriate drug dosages prescribed by clinicians’ problems. These

issues are said to have disrupted the entire network, significantly disrupting both patients

and employees.

Ransomware attacks are becoming an increasing worry in the health IT industry, as

organizations continue to digitalize their systems in which data is stored. In new research

conducted by Verizon, it was found that the rate of ransomware breaches increased by

approximately thirteen percent in 2022, a figure that eclipsed the previous five years


Stay Informed

Subscribe To Our Newsletter To Receive Healthcare Industry News Via Email

View our privacy policy