Common Spirit Breach

In May 2023, nationwide Catholic hospital network CommonSpirit Health-whose regional arms include CHI Health and Virginia Mason Franciscan-became one of hundreds of organizations ensnared in the Cl0p ransomware gang’s zero-day assault on Progress Software’s MOVEit Transfer platform. During a 48-hour window (May 28-31), attackers quietly siphoned off files that Nuance Communications, a transcription vendor used by several CommonSpirit facilities, was shuttling through MOVEit.   

 What surfaced later   

On 4 December 2024 a database titled commonspirit.org-2024 appeared on an underground breach marketplace. It contained 11,432,572 rows-roughly twice the head-count of patients that CommonSpirit initially said were at risk.   
  

Data points exposed   

• Full names (11.4 M)   
• Home addresses (11.4 M)   
• Phone numbers (11.3 M)   
• Email addresses (10.0 M)   
• Treating-doctor names (10.4 M)   
• Diagnosis and treatment codes (11.4 M)   
• Insurance-provider details (2.9 M)   
• Patient-account balances (5.3 M)   
  Although Social Security and payment-card numbers were not in the dump, security analysts warned that the mix of contact information plus granular clinical data could power medical-identity theft, prescription fraud and highly convincing spear-phishing.   
    

Timeline-and transparency questions   

• 13 Sep 2023: CommonSpirit posted a bare-bones “Progress Software Security Incident” notice, emphasizing that only limited PHI (patient name, facility, date/type of service, MRN for some) had been affected.   
• Dec 2024 leak: The far broader 11.4-million-record trove contradicted those early assurances, sparking fresh criticism that the system had understated the scope and waited more than three months to alert many patients.   
• Remediation offer: One year of credit monitoring-derided by privacy advocates as inadequate given the lifelong value of health-care data on the dark web.   

Early legal fallout   

CommonSpirit (under the CHI Health name) is now a named defendant in the sweeping In re MOVEit Customer Data Security Breach MDL (No. 3083, D. Mass.), which consolidates dozens of class actions against Progress Software, Nuance, Welltok/Virgin Pulse and their health-system clients. Plaintiffs allege negligence and violations of HIPAA and state consumer-protection statutes for failing to patch MOVEit servers promptly and for providing delayed, incomplete notice.   

Why this breach matters   

• Scale & sensitivity: At 11 million patients, it rivals Anthem 2015 and Premera Blue Cross 2015 in PHI magnitude-but with richer clinical context.   
• Third-party risk spotlight: The incident underscores how a single vulnerable file-transfer tool at a vendor can cascade across health-system giants bound by shared EHRs and business-associate agreements.   
• Legal precedent: How the MDL allocates liability between software maker, vendor and covered-entity could redefine the duty-of-care standard for HIPAA “downstream” partners handling protected health information.   
  Hospitals have long been prized ransomware targets for their lifesaving urgency. The CommonSpirit MOVEit episode shows that even when care delivery isn’t disrupted, the aftershocks of mass PHI leakage-regulatory scrutiny, class actions and reputational damage-can last far longer than any operating-room outage.