Recently, CommonSpirit reported to the Attorney General of Washington that it had experienced a data breach in which sensitive personal identifiable information and protected health information in its care may have been compromised. According to the breach notice, on November 25, 2024, Pinnacle Holdings, LTD (“Pinnacle”), a healthcare consulting company that works with CommonSpirit’s vendor Northgauge Healthcare Advisors (“Northgauge”), experienced a network disruption that impacted certain systems on its network.1 As a result, Pinnacle launched an investigation to determine the nature of the incident.
Through its investigation, Pinnacle confirmed to Northgauge and CommonSpirit that sensitive personal information in its systems related to CommonSpirit patients may have been [accessed and acquired by an unauthorized third party between November 11 and November 25, 2024. As a result, Pinnacle began a review of the data on behalf of Northgauge CommonSpirit to determine what information had been impacted as well as identify the specific individuals affected. While the information impacted varies depending on the individual, the type of information potentially exposed includes:4
- Name
- Medical information
- Date of birth
- Other sensitive personal information
As a result of the breach, Pinnacle and Northgauge began mailing data breach notification letters to impacted individuals on behalf of CommonSpirit. Based on the breach notice sent to residents, CommonSpirit is providing affected individuals with a list of the specific types of sensitive information impacted and complimentary credit monitoring services. A link to the form breach notification letters that CommonSpirit filed with the Attorney General of Washington is below.