Patient Data Leaked in Cyberattack on Virginia Mason Franciscan Health


Some personal patient data was leaked in a recent ransomware attack on Virginia Mason Franciscan Health's parent company, the health care system announced Thursday afternoon.

CommonSpirit Health, the company affiliated with 10 VMFH hospitals throughout the Puget Sound region, is investigating the cyberattack but said the names, addresses, phone numbers and dates of birth of some patients, their family members or their caregivers were included in leaked files. Unique ID numbers the hospital used internally (not insurance ID or the medical record number) were also included.

It's unclear how many patients were affected, said CommonSpirit spokesperson Chad Burns. The company confirmed there's been no evidence yet that any personal information has been "misused."

"We apologize for any concern this may cause," CommonSpirit said in a statement. "CommonSpirit Health and its affiliated entities ... take the protection and proper use of personal information very seriously."

The Chicago-based health care company announced in mid-October it had been hit by ransomware, a form of malicious software. Puget Sound-area patients and providers had begun noticing system outages among VMFH hospitals. Appointments were canceled or rescheduled, and MyChart, a patient portal used to track electronic health records, medications and test results, remained down for about two weeks while the company took certain systems offline and began investigating.

On Thursday, CommonSpirit confirmed the "unauthorized third party" gained access to certain parts of its network between Sept. 16 and Oct. 3. During that two-week stretch, the third party might have accessed patients' personal information, the statement said.

Electronic systems have since been brought back online, with additional security and monitoring tools, the statement said.

CommonSpirit, which has 140 hospitals in 21 states, has notified law enforcement and continues to assist in the investigation. The company added it took steps to protect its electronic systems, contain the incident and maintain continuity of care.

In Washington, VMFH hospitals include St. Michael Medical Center in Silverdale, St. Anne Hospital in Burien, St. Anthony Hospital in Gig Harbor, St. Clare Hospital in Lakewood, St. Elizabeth Hospital in Enumclaw, St. Francis Hospital in Federal Way and St. Joseph Hospital in Tacoma.

CommonSpirit's review is ongoing so no further details were available about whether the cyberattack also involved patient data from its other hospitals across the country, Burns said.

CommonSpirit plans to mail letters to all affected patients, starting Thursday. It also encouraged patients of VMFH facilities to review their health care statements for accuracy and report any unusual services or charges to their provider or insurer.

Anyone with questions about the cyberattack can visit the company's website at or call a hotline at 855-504-2738 from 7 a.m. to 4:30 p.m. Monday through Friday, excluding holidays.