A recent ransomware attack on a major health system that operates over 1,000 hospitals and care facilities across 21 states could impact millions of Americans.

CommonSpirit Health was hit with a cyber attack on Oct. 3, which forced the health company to take certain computer systems offline "as a precautionary step," the company said shortly after it learned of the incident.

While it remains unclear whether patient health information was compromised, patients have reported the impacts of the cyber attack on their health care and treatments.

Here’s what to know about the cyber attack.


MercyOne Des Moines Medical Center

MercyOne in Des Moines had its computer systems taken offline following the attack. CommonSpirit Health is one of MercyOne's parent companies. (Google Maps)

What is CommonSpirit Health?

CommonSpirit, a nonprofit health system based in Chicago, operates 140 hospitals and more than 1,000 care sites across 21 states, the health system says on its website.

In 2019, CommonSpirit treated 20 million patients, according to the website for Dignity Health International, which is part of the CommonSpirit Health family.

What happened?

CommonSpirit’s computer systems were targeted in a ransomware attack in October, interrupting access to electronic health records and delaying patient care in multiple regions.

Russian cyber warfare

It’s unclear whether sensitive information about patients were stolen in the cyber attack. ( Jakub Porzycki/NurPhoto via Getty Images)

It’s unclear whether sensitive information about patients was stolen in the cyber attack.

Cybersecurity experts are continuing to investigate.

Who has been affected?

The ransomware attack has had significant consequences on patients after electronic medical records were no longer accessible due to the systems going offline.

A photo of a doctor and patient's hand

CommonSpirit last week said patients' electronic health records were available after its system was taken offline following the cyber attack. (iStock)

Kelley Parsi told WHO-TV that she took her son, Jay, to MercyOne Des Moines Medical Center to be treated for dehydration the same day the facility’s technical issues began. She said a doctor told her that her son was mistakenly given five times what was prescribed for pain medicine after their systems went offline. 


Some patients across the country had to delay important surgeries.

Kathy Kellogg was scheduled to have a cancerous tumor on her tongue removed at Virginia Mason Franciscan Health in Seattle but was forced to reschedule due to the CommonSpirit’s system going offline, KING-TV reported.

What is being done?

CommonSpirit released an update on Nov. 9, over a month after the ransomware attack, and said it is still working to bring its systems online and restore full functionality as quickly and safely as possible.

Electronic health records are now available across its system, including at hospitals and clinics, and most patients can again review their medical histories through the patient portal, the health system said, adding that it is working to restore appointment scheduling capabilities to the portal.


"At CommonSpirit Health, we are dedicated to meeting the needs of the communities we serve and are guided by our core set of values, which include integrity, excellence, and collaboration," CommonSpirit said. "We are grateful to our committed staff and physicians, who are doing everything possible to mitigate the impact to our patients and maintain continuity of care."