CommonSpirit Health Data Breach

NOTICE: If you are a Washington State resident and you received a NOTICE OF DATA BREACH letter from CommonSpirit Health, contact the Arnold Law Firm at 916-777-7777 to discuss your legal options, or submit a confidential Case Evaluation form here.

On or about April 6, 2023, CommonSpirit Health (“CommonSpirit”) sent a Notice of Data Breach Letter (“Breach Letter”) to individuals, including customers and potential employees, former employees, and their dependents. The Breach Letter informed victims that their personally identifiable information (“PII”) was exposed when there was a “ransomware attack on [CommonSpirit’s] IT network.” (the “Data Breach”)

According to the Breach Letter, CommonSpirit discovered the Data Breach on October 2, 2022 and determined that, between September 16, 2022 and October 3, 2022,  hackers had gained access to their network without authorization. CommonSpirit has revealed that the PII available to the hackers during this breach consists of, including, but not limited to: name, address, date of birth, phone number(s), email address, as well as medical information such as dates of service, medical record number, healthcare provider’s name, diagnosis/treatment information, medical billing/claims information, patient’s facility associated account/encounter number, and health insurance information.  For some individuals, their Social Security number was also accessed.

CommonSpirit discovered the Data Breach in early October 2022, but waited until April 6th, 2023 to send Breach Letters to victims.

CommonSpirit Health is a “leading provider of Medicaid services” and is based in Chicago, Illinois. It has a network of over 140 hospitals and 1,000 care sites across 21 different states, including Washington. It has over 150,000 employees and in 2022 had over $33.9 billion in revenue. The data of over 623,774 individuals was compromised by this data breach. If you received a Breach Letter from CommonSpirit or any of its related entities, you were impacted by the data breach.

WHAT INFORMATION IS INVOLVED?

According to CommonSpirit, the following information was exposed:

• Names
• Social Security numbers
• Dates of birth
• Mailing addresses
• Phone numbers
• Email addresses
• Medical Information, including:
  • Dates of service
  • Medical record number
  • Healthcare provider’s name
  • Diagnosis/treatment information
  • Medical billing/claim information
  • Patient’s facility associated account/encounter number
  • Health insurance information

This information is called your Personally Identifiable Information (“PII”). It tells others about you and is considered part of your identity. Businesses are required to secure this information or risk facing statutory penalties, among other legal penalties. Stolen PII can be used by identity thieves to engage in fraudulent activity using your identity.

The best way to protect yourself after a data breach is to sign up for credit and identity protection services as soon as possible.

NOTICE: If you are a Washington State resident and you received a NOTICE OF DATA BREACH letter from CommonSpirit Health, contact the Arnold Law Firm at 916-777-7777 to discuss your legal options, or submit a confidential Case Evaluation form here.