On July 1, 2022, CHRISTUS Spohn Health System Corporation (“CHRISTUS”) filed an official notice of a data breach with the U.S. Department of Health and Human Services Office for Civil Rights following what appears to be a large-scale ransomware attack. While CHRISTUS reported the breach, it has yet to provide many details about the incident. However, the ransomware group AvosLocker has since taken credit for the incident, posting samples of the allegedly stolen data to the dark web, which included patients’ protected health information. It is estimated that the CHRISTUS breach affected the information of more than 15,000 individuals.

If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the CHRISTUS Spohn Health System data breach, please see our recent piece on the topic here.

More Details About the CHRISTUS Spohn Health System Data Breach

Information about the CHRISTUS Spohn Health System Corporation comes from several sources, primarily the health system’s filing with the federal government and statements made by CHRISTUS representatives as well as AvosLocker. Evidently, CHRISTUS noticed early signs of unauthorized activity on its computer system and was able to stop the attack. A CHRISTUS representative explained that “the incident is limited and didn’t impact any of Christus Health’s patient care or clinical operations.”

However, in response, CHRISTUS enlisted the help of cybersecurity professionals to further investigate the incident. The health system has yet to provide additional information to the public about the breach. However, on July 1, 2022, CHRISTUS Spohn Health System Corporation filed notice of the breach with the U.S. Department of Health and Human Services Office for Civil Rights, noting that the incident is expected to have impacted 15,062 people.

AvosLocker is a group that offers ransomware as a service and works with “affiliates” from across the world. These affiliates target victims, extort money and split any proceeds with a core group of hackers. AvosLocker first showed up on the radar in July 2021, and the group is believed to have orchestrated more than 50 ransomware attacks.

CHRISTUS Spohn Health System Corporation is a faith-based, not-for-profit health system based in Irving, Texas. CHRISTUS operates more than 600 centers, including long-term care facilities, community hospitals, walk-in clinics and health ministries. The CHRISTUS ministries include:

• CHRISTUS Good Shepherd Health System

• CHRISTUS Ochsner Health System

• CHRISTUS Santa Rosa Health System

• CHRISTUS Shreveport-Bossier Health System

• CHRISTUS Southeast Texas Health System

• CHRISTUS Spohn Health System

• CHRISTUS St. Frances Cabrini

• CHRISTUS St. Michael Health System

• CHRISTUS St. Vincent Regional Medical Center

• CHRISTUS Trinity Mother Frances Health System

CHRISTUS Spohn Health System employs more than 45,000 people, roughly 15,000 of which are physicians, and generates approximately $7 billion in annual revenue.

Cyberattacks Targeting Protected Health Information Are on the Rise

CHRISTUS Spohn Health System has not provided a detailed list of the data types that were leaked in the recent breach. However, based on secondary reports, it appears that the compromised data involves the protected health information of certain patients.

Protected health information refers to data relating to a patient’s past, present or future health condition. Protected health information also includes data regarding how a patient pays for their healthcare, such as insurance, Medicare or Medicaid information. However, to be considered “protected” health information, data must contain one or more identifiers that can be used to identify the patient. For example, names, Social Security numbers and addresses are all identifiers. The result is that when protected health information is leaked, anyone can pair the leaked information to a specific patient.

The consequences of a healthcare data breach are very real. Often, the data obtained through a healthcare data breach provides the hacker with enough information to steal a patient’s identity. However, identity theft in the wake of a healthcare data breach is harder to rectify and often comes at a greater cost to the victim. This is because the hackers who orchestrate these attacks often do so in hopes of obtaining valuable information they can then sell to a third party.

In turn, a third party can then use the data to obtain medical treatment in the victim patient’s name. Of course, this can result in the patient being billed for healthcare services they never received. However, the more serious risk is that the third provides healthcare providers with information about themselves that ends up in the real patient’s medical record. For example, the third party may give the doctor their own list of medications or allergies. This information can—and often does—end up in a victim’s medical record, which can result in the victim not receiving the appropriate treatment the next time they visit the doctor.

Data breaches involving protected health information must be taken seriously by patients and providers. For those looking to learn more about what to do in the wake of such a breach, as well as their ability to file a legal claim against the provider who leaked their data, speaking with a data breach lawyer is a good first step.