CommonSpirit Health Company CyberSecurity Posture
commonspirit.careers
Inspired by faith. Driven by innovation. Powered by humankindness. CommonSpirit Health is building a healthier future for all through its integrated health services. As one of the nation’s largest nonprofit Catholic healthcare organizations, CommonSpirit Health delivers more than 20 million patient encounters annually through more than 2,300 clinics, care sites and 138 hospital-based locations, in addition to its home-based services and virtual care offerings. CommonSpirit has more than 160,000 employees, 45,000 nurses and 25,000 physicians and advanced practice providers across 24 states and contributes more than $5 billion annually in charity care, community benefits, and unreimbursed government programs. Together with our patients, physicians, partners, and communities, we are creating a more just, equitable, and innovative healthcare delivery system. Learn more at commonspirit.org.
Company Details
commonspirithealth
44,829
138,733
62
commonspirit.careers
0
COM_4874380
In-progress
CommonSpirit Health Risk Score (AI oriented)Between 650 and 699
CommonSpirit Health Global Score (TPRM)XXXX
Description: CHI Health locations in Omaha experienced an IT security incident that affected electronic health records and other systems of the organization. After that, some information technology systems have been taken offline as a precautionary measure for the organization notified. All CHI Health facilities in Omaha including Lakeside Hospital, Creighton University Medical Center-Bergan Mercy, and Immanuel Medical Center have been impacted. The organization also stated that their facilities are following existing protocols for system outages and taking steps to minimize the disruption.
Description: CommonSpirit Health is now facing a class action lawsuit because of the cyberattacks that it faced in 2022. The lawsuit was initiated because the attacks impacted facilities across one of the largest nonprofit healthcare systems in the US. Back in the last year, CommonSpirit began reporting IT outages, EHR downtime, and appointment cancellations in early October, later confirming that these disruptions were caused by attacks. The latest lawsuit alleges that CommonSpirit lost control of highly sensitive information as a result of the breach and suggested that the health system has not been forthcoming about the breach. It was also alleged that the number of actual victims of the Data Breach may be much higher to approx twenty million individuals. The plaintiffs are seeking reimbursement for out-of-pocket costs, credit monitoring services, and improvements to CommonSpirit’s data security systems.
Description: CommonSpirit, the second-largest nonprofit hospital chain in the U.S., suffered a cybersecurity incident that disrupted medical services across the country. The attack caused certain IT systems including electronic health records and other systems to go offline which resulted in rescheduling some patient appointments.
Description: In October 2022, **CommonSpirit Health**, one of the largest nonprofit Catholic health systems in the U.S. (operating in **Alabama, Arizona, California, Colorado, Iowa, Kansas, Kentucky, Nebraska, Nevada, New Mexico, Ohio, South Carolina, Tennessee, Texas, Virginia, and Washington**), fell victim to a **ransomware attack** that crippled its IT systems across **140 hospitals and 1,000+ care sites**. The attack, attributed to **criminal hackers**, forced emergency room diversions, delayed surgeries (including critical procedures like cancer treatments), and disrupted access to electronic health records (EHRs) for weeks. Patient data—including **medical histories, financial records, and personally identifiable information (PII)**—was encrypted, with threat actors demanding a ransom for decryption. While CommonSpirit confirmed no evidence of **data exfiltration for extortion**, the operational outage **threatened patient safety**, as clinicians reverted to paper records, increasing risks of errors. The incident also triggered **regulatory scrutiny** under HIPAA, with potential fines for compliance failures. The financial toll exceeded **$150 million** in recovery costs, excluding reputational damage from public distrust and patient lawsuits. The attack underscored vulnerabilities in healthcare cybersecurity, particularly for **large, multi-state providers** reliant on interconnected systems.
Description: One of the largest nonprofit healthcare systems in the U.S., CommonSpirit targeted by a ransomware attack that caused widespread IT outages at hospitals across the country. This attack impacted several electronic health record systems across the country. They investigated the incident and hired cybersecurity specialists to deal with the response and contain the incident.
Description: The California Office of the Attorney General reported a data breach involving Dignity Health - Mercy San Juan Medical Center on November 13, 2017. From September 8 to 12, 2017, a software error in the Employee Self Service system exposed employee names, employee ID numbers, and Social Security Numbers to other internal staff. The total number of individuals affected is unknown.
Description: An unauthorized third party accessed the **personal identifying information (PII)** and **protected health information (PHI)** of patients at **Dignity Health’s St. Rose Dominican Hospital (Rosa de Lima Campus)**. The compromised data included **names, contact details, Social Security numbers, dates of birth, clinical/diagnosis records, medical account numbers, and service locations**. The breach, disclosed around **March 2024**, led to a **$675,000 class-action settlement** to cover identity theft risks, fraudulent transactions, falsified tax returns, and unauthorized medical claims. Patients were offered **credit monitoring, medical identity-theft protection, and reimbursements up to $2,500** for extraordinary losses. The incident exposed victims to **financial fraud, medical identity theft, and reputational harm**, with potential long-term consequences for affected individuals. The breach was attributed to a **cybersecurity failure allowing external access to sensitive records**.
Description: On June 9, 2016, Dignity Health reported a data breach involving patient information accessed inappropriately by a case manager employed by their business partner, naviHealth, from June 2015 to May 2016. The breach potentially affected various personal and clinical information of patients, including names, social security numbers, and health insurance details. Dignity Health is offering 12 months of free credit monitoring to affected individuals.
Description: Dominican Hospital, part of Dignity Health, accedentially suffered from a data breach incident in August 2016. The attack compromised the name, account number, admission date, length of stay, total charges, unit they were seen in, room number they were seen in, and insurance carrier name. The health plan that received the transmission has been cooperating with the hospital and expected to provide an attestation that the errant data was destroyed. Dominican Hospital took action and provided traning sessions to their staff and took disciplinary action.
Description: On July 28, 2016, Dominican Hospital, a healthcare facility under the jurisdiction of the California Office of the Attorney General, suffered a data breach involving the unauthorized transmission of a Microsoft Excel workbook via secured email. The file was sent to a local health plan but inadvertently included patient information for individuals not affiliated with the plan. The exposed data comprised sensitive details such as **names, account numbers, and medical records**, though **Social Security numbers were not compromised**. The breach raised concerns over **patient privacy violations** and **potential misuse of medical data**, which could lead to identity theft, targeted phishing, or fraudulent medical claims. While the exact number of affected individuals remains undisclosed (marked as 'UNKN'), the incident underscored vulnerabilities in **data-sharing protocols** between healthcare providers and third-party entities. The exposure of **medical information**—a highly regulated and sensitive data category—poses long-term risks, including reputational damage to the hospital and erosion of patient trust. Regulatory scrutiny under **HIPAA (Health Insurance Portability and Accountability Act)** likely followed, given the nature of the compromised data.
Description: The California Office of the Attorney General reported that Dignity Health St. Joseph's Medical Center experienced a data breach involving limited patient information due to mislaid hard drives discovered on August 9, 2018. The breach was reported on August 31, 2018, affecting an unknown number of individuals, and involved demographic and clinical information but not financial data or social security numbers.
No incidents recorded for CommonSpirit Health in 2025.
No incidents recorded for CommonSpirit Health in 2025.
No incidents recorded for CommonSpirit Health in 2025.
CommonSpirit Health cyber incidents detection timeline including parent company and subsidiaries
Inspired by faith. Driven by innovation. Powered by humankindness. CommonSpirit Health is building a healthier future for all through its integrated health services. As one of the nation’s largest nonprofit Catholic healthcare organizations, CommonSpirit Health delivers more than 20 million patient encounters annually through more than 2,300 clinics, care sites and 138 hospital-based locations, in addition to its home-based services and virtual care offerings. CommonSpirit has more than 160,000 employees, 45,000 nurses and 25,000 physicians and advanced practice providers across 24 states and contributes more than $5 billion annually in charity care, community benefits, and unreimbursed government programs. Together with our patients, physicians, partners, and communities, we are creating a more just, equitable, and innovative healthcare delivery system. Learn more at commonspirit.org.
Northwell Health is New York State’s largest health care provider and private employer, with 21 hospitals, about 900 outpatient facilities and more than 12,000 affiliated physicians. We care for over two million people annually in the New York metro area and beyond, thanks to philanthropic support
The Mount Sinai Health System is an integrated health system committed to providing distinguished care, conducting transformative research, and advancing biomedical education. Structured around seven hospital campuses and a single medical school, the Health System has an extensive ambulatory netwo
Thomas Jefferson University and Thomas Jefferson University Hospitals are partners in providing excellent clinical and compassionate care for our patients in the Philadelphia region, educating the health professionals of tomorrow in a variety of disciplines and discovering new knowledge that will de
Nationwide Children’s is one of America's largest pediatric hospitals, an international leader in research and is ranked in all 10 specialties on U.S. News & World Report’s 2025-26 “America’s Best Children’s Hospitals” list. Our staff, comprised of 1,600 medical professionals and over 16,000 employe
R1 is the leader in healthcare revenue management, helping providers achieve new levels of performance through smart orchestration. A pioneer in the industry, R1 created the first Healthcare Revenue Operating System: a modular, intelligent platform that integrates automation, AI, and human expertise
Cincinnati Children’s, a nonprofit academic medical center established in 1883, offers services from well-child care to treatment for the most rare and complex conditions. It is the Department of Pediatrics at the University of Cincinnati College of Medicine and trains more than 600 residents and cl
Emory Healthcare is the most comprehensive health care system in Georgia. We offer 11 hospitals, the Emory Clinic, more than 250 provider locations, and more than 2,800 physicians specializing in 70 different medical subspecialties. Meaning we can provide treatments and services that may not be avai
Com cerca de 80 anos de experiência, a Hapvida é hoje a maior empresa de saúde integrada da América Latina. A companhia, que possui mais de 69 mil colaboradores, atende quase 16 milhões de beneficiários de saúde e odontologia espalhados pelas cinco regiões do Brasil. Todo o aparato foi construído a
IQVIA (NYSE:IQV) is a leading global provider of clinical research services, commercial insights and healthcare intelligence to the life sciences and healthcare industries. IQVIA’s portfolio of solutions are powered by IQVIA Connected Intelligence™ to deliver actionable insights and services built o
.png)
Patients from five of the health system's hospitals will now have access to University of Utah Health providers and resources through the...
The cybersecurity firm released what was meant to be a routine software update, but now health systems, including CommonSpirit Health and...
Sanjeev Sah will take on the chief information security officer role at the North Carolina-based health system after about four years at CommonSpirit Health.
WINSTON-SALEM, N.C. (June 24, 2024) – Novant Health welcomes Sanjeev Sah as its chief information security officer (CISO).
This piece explores reactions from five different health system executives about the recent attack on Ascension — as well as what they're doing...
A federal court judge has recommended a class action lawsuit against CommonSpririt Health over its 2022 data breach should be dismissed.
The 145-hospital nonprofit system's improving volumes were undercut by lagging reimbursement, high costs and a cybersecurity incident.
It was not immediately clear how many locations operated by Prospect Medical Holdings were affected but some sites had to cut back services...
The Chattanooga Heart Institute, the cardiac care service provider for CHI Memorial, is the latest known local health care provider to fall...
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
The official website of CommonSpirit Health is http://www.commonspirit.careers.
According to Rankiteo, CommonSpirit Health’s AI-generated cybersecurity score is 682, reflecting their Weak security posture.
According to Rankiteo, CommonSpirit Health currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
According to Rankiteo, CommonSpirit Health is not certified under SOC 2 Type 1.
According to Rankiteo, CommonSpirit Health does not hold a SOC 2 Type 2 certification.
According to Rankiteo, CommonSpirit Health is not listed as GDPR compliant.
According to Rankiteo, CommonSpirit Health does not currently maintain PCI DSS compliance.
According to Rankiteo, CommonSpirit Health is not compliant with HIPAA regulations.
According to Rankiteo,CommonSpirit Health is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
CommonSpirit Health operates primarily in the Hospitals and Health Care industry.
CommonSpirit Health employs approximately 44,829 people worldwide.
CommonSpirit Health presently has no subsidiaries across any sectors.
CommonSpirit Health’s official LinkedIn profile has approximately 138,733 followers.
CommonSpirit Health is classified under the NAICS code 62, which corresponds to Health Care and Social Assistance.
No, CommonSpirit Health does not have a profile on Crunchbase.
Yes, CommonSpirit Health maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/commonspirithealth.
As of November 27, 2025, Rankiteo reports that CommonSpirit Health has experienced 11 cybersecurity incidents.
CommonSpirit Health has an estimated 30,007 peer or competitor companies worldwide.
Incident Types: The types of cybersecurity incidents that have occurred include Data Leak, Breach, Cyber Attack and Ransomware.
Total Financial Loss: The total financial loss from these incidents is estimated to be $0.
Detection and Response: The company detects and responds to cybersecurity incidents through an remediation measures with provided training sessions to staff, remediation measures with took disciplinary action, and third party assistance with cybersecurity specialists, and containment measures with systems taken offline, and remediation measures with offering 12 months of free credit monitoring to affected individuals, and remediation measures with class action settlement, remediation measures with credit/medical monitoring services for affected individuals, and communication strategy with written notifications to affected patients (march 2024), communication strategy with settlement claims process with deadlines..
Title: Dominican Hospital Data Breach
Description: Dominican Hospital, part of Dignity Health, accidentally suffered from a data breach incident in August 2016. The attack compromised the name, account number, admission date, length of stay, total charges, unit they were seen in, room number they were seen in, and insurance carrier name. The health plan that received the transmission has been cooperating with the hospital and is expected to provide an attestation that the errant data was destroyed. Dominican Hospital took action and provided training sessions to their staff and took disciplinary action.
Date Detected: August 2016
Type: Data Breach
Title: Ransomware Attack on CommonSpirit Healthcare System
Description: CommonSpirit, one of the largest nonprofit healthcare systems in the U.S., was targeted by a ransomware attack that caused widespread IT outages at hospitals across the country.
Type: Ransomware Attack
Title: Cybersecurity Incident at CommonSpirit
Description: CommonSpirit, the second-largest nonprofit hospital chain in the U.S., suffered a cybersecurity incident that disrupted medical services across the country. The attack caused certain IT systems including electronic health records and other systems to go offline which resulted in rescheduling some patient appointments.
Type: Cyber Attack
Title: CommonSpirit Health Cyberattacks
Description: CommonSpirit Health faced cyberattacks in 2022 that impacted facilities across one of the largest nonprofit healthcare systems in the US. The attacks resulted in IT outages, EHR downtime, and appointment cancellations. A class action lawsuit has been initiated alleging that the health system lost control of highly sensitive information and has not been forthcoming about the breach.
Date Detected: 2022-10
Type: Cyberattack
Title: IT Security Incident at CHI Health
Description: CHI Health locations in Omaha experienced an IT security incident that affected electronic health records and other systems of the organization. Some information technology systems have been taken offline as a precautionary measure. All CHI Health facilities in Omaha including Lakeside Hospital, Creighton University Medical Center-Bergan Mercy, and Immanuel Medical Center have been impacted. The organization is following existing protocols for system outages and taking steps to minimize the disruption.
Type: IT Security Incident
Title: Data Breach at Dignity Health - Mercy San Juan Medical Center
Description: A software error in the Employee Self Service system exposed employee names, employee ID numbers, and Social Security Numbers to other internal staff.
Date Detected: 2017-09-08
Date Publicly Disclosed: 2017-11-13
Type: Data Breach
Attack Vector: Software Error
Vulnerability Exploited: Employee Self Service system
Title: Dignity Health St. Joseph's Medical Center Data Breach
Description: The California Office of the Attorney General reported that Dignity Health St. Joseph's Medical Center experienced a data breach involving limited patient information due to mislaid hard drives discovered on August 9, 2018. The breach was reported on August 31, 2018, affecting an unknown number of individuals, and involved demographic and clinical information but not financial data or social security numbers.
Date Detected: 2018-08-09
Date Publicly Disclosed: 2018-08-31
Type: Data Breach
Attack Vector: Mislaid Hard Drives
Title: Dignity Health Data Breach
Description: A data breach involving patient information accessed inappropriately by a case manager employed by naviHealth, a business partner of Dignity Health, from June 2015 to May 2016.
Date Detected: 2016-05-01
Date Publicly Disclosed: 2016-06-09
Type: Data Breach
Attack Vector: Insider Threat
Vulnerability Exploited: Unauthorized Access
Threat Actor: Employee of naviHealth
Motivation: Unknown
Title: Data Breach at Dignity Health - St. Rose Dominican Hospital, Rosa de Lima Campus via R1 RCM Inc.
Description: An unauthorized third party accessed the personal identifying information (PII) and/or protected health information (PHI) of certain patients at Dignity Health's St. Rose Dominican Hospital, Rosa de Lima Campus. The breach exposed sensitive data including names, contact information, Social Security numbers, dates of birth, clinical/diagnosis information, and medical record numbers. A class action lawsuit was settled for $675,000, with affected patients eligible for reimbursements up to $2,500 and credit/medical monitoring services.
Date Publicly Disclosed: 2024-03
Type: Data Breach
Threat Actor: Unauthorized third party
Title: Dominican Hospital Data Breach (2016)
Description: The California Office of the Attorney General reported that Dominican Hospital experienced a data breach on July 28, 2016, affecting patient information. The incident involved the transmission of a Microsoft Excel workbook via secured email to a local health plan, potentially including information for patients not associated with the health plan. The breach affected an unknown number of individuals, with the compromised data consisting of names, account numbers, and medical information, but excluded social security numbers.
Date Detected: 2016-07-28
Type: Data Breach
Attack Vector: Human Error (Improper Data Transmission)
Common Attack Types: The most common types of attacks the company has faced is Breach.
Data Compromised: Name, Account number, Admission date, Length of stay, Total charges, Unit they were seen in, Room number they were seen in, Insurance carrier name
Systems Affected: Electronic health record systems
Downtime: Widespread IT outages
Systems Affected: Electronic Health RecordsOther IT Systems
Downtime: Some downtime resulting in rescheduling of patient appointments
Operational Impact: Disruption of medical services
Data Compromised: Highly sensitive information
Systems Affected: IT systemsEHR systems
Downtime: ['IT outages', 'EHR downtime']
Operational Impact: Appointment cancellations
Legal Liabilities: Class action lawsuit
Systems Affected: electronic health recordsother systems
Operational Impact: disruption
Data Compromised: Employee names, Employee id numbers, Social security numbers
Systems Affected: Employee Self Service system
Data Compromised: Demographic information, Clinical information
Data Compromised: Names, Social security numbers, Health insurance details
Data Compromised: Name, Contact information, Date of birth, Social security number, Location of services, Clinical/diagnosis information, Patient account number, Medical record number
Customer Complaints: Class action lawsuit filed
Brand Reputation Impact: Likely negative (settlement indicates reputational harm)
Legal Liabilities: $675,000 settlement
Identity Theft Risk: High (SSNs and medical data exposed)
Data Compromised: Names, Account numbers, Medical information
Identity Theft Risk: Low (no SSNs compromised)
Average Financial Loss: The average financial loss per incident is $0.00.
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Name, Account Number, Admission Date, Length Of Stay, Total Charges, Unit They Were Seen In, Room Number They Were Seen In, Insurance Carrier Name, , Highly sensitive information, Employee Names, Employee Id Numbers, Social Security Numbers, , Demographic Information, Clinical Information, , Personal Information, Clinical Information, , Pii, Phi, , Names, Account Numbers, Medical Information and .
Entity Name: Dominican Hospital
Entity Type: Hospital
Industry: Healthcare
Entity Name: CommonSpirit
Entity Type: Healthcare System
Industry: Healthcare
Location: U.S.
Size: Large
Entity Name: CommonSpirit
Entity Type: Nonprofit Hospital Chain
Industry: Healthcare
Location: U.S.
Entity Name: CommonSpirit Health
Entity Type: Nonprofit healthcare system
Industry: Healthcare
Location: US
Size: Large
Customers Affected: Approx twenty million individuals
Entity Name: CHI Health
Entity Type: Healthcare
Industry: Healthcare
Location: Omaha
Entity Name: Lakeside Hospital
Entity Type: Hospital
Industry: Healthcare
Location: Omaha
Entity Name: Creighton University Medical Center-Bergan Mercy
Entity Type: Hospital
Industry: Healthcare
Location: Omaha
Entity Name: Immanuel Medical Center
Entity Type: Hospital
Industry: Healthcare
Location: Omaha
Entity Name: Dignity Health - Mercy San Juan Medical Center
Entity Type: Healthcare
Industry: Healthcare
Location: California
Entity Name: Dignity Health St. Joseph's Medical Center
Entity Type: Healthcare
Industry: Healthcare
Location: California
Entity Name: Dignity Health
Entity Type: Healthcare Provider
Industry: Healthcare
Entity Name: R1 RCM Inc.
Entity Type: Revenue Cycle Management Provider
Industry: Healthcare IT
Customers Affected: Patients of Dignity Health - St. Rose Dominican Hospital, Rosa de Lima Campus
Entity Name: Dignity Health dba St. Rose Dominican Hospital, Rosa de Lima Campus
Entity Type: Hospital
Industry: Healthcare
Location: Henderson, Nevada (implied by context)
Customers Affected: Current and former patients (exact number unspecified)
Entity Name: Dominican Hospital
Entity Type: Healthcare Provider
Industry: Healthcare
Location: California, USA
Customers Affected: UNKN
Location: AlabamaAlaskaArizonaArkansasCaliforniaColoradoConnecticutDelawareFloridaGeorgiaHawaiiIdahoIllinoisIndianaIowaKansasKentuckyLouisianaMaineMarylandMassachusettsMichiganMinnesotaMississippiMissouriMontanaNebraskaNevadaNew HampshireNew JerseyNew MexicoNew YorkNorth CarolinaNorth DakotaOhioOklahomaOregonPennsylvaniaRhode IslandSouth CarolinaSouth DakotaTennesseeTexasUtahVermontVirginiaWashingtonWashington D.C.West VirginiaWisconsinWyomingPuerto RicoUS Virgin IslandsArmed Forces AmericasArmed Forces PacificArmed Forces EuropeNorthern Mariana IslandsMarshall IslandsAmerican SamoaFederated States of MicronesiaGuamPalauAlberta, CanadaBritish Columbia, CanadaManitoba, CanadaNew Brunswick, CanadaNewfoundland, CanadaNova Scotia, CanadaNorthwest Territories, CanadaNunavut, CanadaOntario, CanadaPrince Edward Island, CanadaQuebec, CanadaSaskatchewan, CanadaYukon Territory, Canada
Remediation Measures: Provided training sessions to staffTook disciplinary action
Third Party Assistance: Cybersecurity specialists
Containment Measures: systems taken offline
Remediation Measures: Offering 12 months of free credit monitoring to affected individuals
Remediation Measures: Class action settlementCredit/medical monitoring services for affected individuals
Communication Strategy: Written notifications to affected patients (March 2024)Settlement claims process with deadlines
Third-Party Assistance: The company involves third-party assistance in incident response through Cybersecurity specialists.
Type of Data Compromised: Name, Account number, Admission date, Length of stay, Total charges, Unit they were seen in, Room number they were seen in, Insurance carrier name
Personally Identifiable Information: nameaccount numberadmission datelength of staytotal chargesunit they were seen inroom number they were seen ininsurance carrier name
Type of Data Compromised: Highly sensitive information
Number of Records Exposed: Approx twenty million individuals
Sensitivity of Data: High
Type of Data Compromised: Employee names, Employee id numbers, Social security numbers
Sensitivity of Data: High
Type of Data Compromised: Demographic information, Clinical information
Type of Data Compromised: Personal information, Clinical information
Sensitivity of Data: High
Personally Identifiable Information: NamesSocial Security Numbers
Type of Data Compromised: Pii, Phi
Sensitivity of Data: High (includes SSNs, medical records, and clinical data)
Data Exfiltration: Likely (data accessed by unauthorized third party)
Personally Identifiable Information: NameContact informationDate of birthSocial Security numberPatient account numberMedical record number
Type of Data Compromised: Names, Account numbers, Medical information
Number of Records Exposed: UNKN
Sensitivity of Data: Moderate (no SSNs, but medical and account data)
Data Exfiltration: Yes (transmitted via email)
Data Encryption: Yes (secured email)
File Types Exposed: Microsoft Excel workbook
Personally Identifiable Information: namesaccount numbers
Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Provided training sessions to staff, Took disciplinary action, , Offering 12 months of free credit monitoring to affected individuals, , Class action settlement, Credit/medical monitoring services for affected individuals, .
Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by systems taken offline and .
Legal Actions: Class action lawsuit,
Legal Actions: Class action lawsuit settled for $675,000,
Regulations Violated: Potential HIPAA violation (unauthorized disclosure of PHI),
Regulatory Notifications: California Office of the Attorney General
Ensuring Regulatory Compliance: The company ensures compliance with regulatory requirements through Class action lawsuit, , Class action lawsuit settled for $675,000, .
Source: Class action lawsuit
Source: California Office of the Attorney General
Date Accessed: 2017-11-13
Source: California Office of the Attorney General
Source: Dignity Health
Source: Class Action Settlement Notice
Source: Settlement Administrator (R1/Dignity Data Incident Settlement)
Source: California Office of the Attorney General
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Class action lawsuit, and Source: California Office of the Attorney GeneralDate Accessed: 2017-11-13, and Source: California Office of the Attorney General, and Source: Dignity Health, and Source: Class Action Settlement Notice, and Source: Settlement Administrator (R1/Dignity Data Incident Settlement), and Source: California Office of the Attorney General.
Investigation Status: Settled (no further details on root cause investigation)
Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Written Notifications To Affected Patients (March 2024) and Settlement Claims Process With Deadlines.
Stakeholder Advisories: Written Notifications To Affected Patients, Settlement Claims Process.
Customer Advisories: Eligibility Criteria: ['Patients of Dignity Health St. Rose Dominican Hospital, Rosa de Lima Campus', 'Received written notification in/around March 2024', 'PII/PHI potentially accessed'], Claim Options: ['Out-of-pocket expenses (up to $500)', 'Extraordinary losses (up to $2,500)', 'Pro rata cash payment', '2 years of three-bureau credit monitoring + CyEx Medical Shield Total'], Deadlines: {'opt_out': '2025-10-13', 'claim_submission': '2025-11-11', 'final_approval_hearing': '2025-11-14'}, Payout Methods: ['PayPal', 'Venmo', 'Zelle', 'Paper check (mail-only)'], Required Documentation: ['Notice ID and PIN from settlement notice', 'Receipts/bills for out-of-pocket expenses', 'Police reports/statements for extraordinary losses'].
Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Written Notifications To Affected Patients, Settlement Claims Process, eligibility_criteria: ['Patients of Dignity Health St. Rose Dominican Hospital, Rosa de Lima Campus', 'Received written notification in/around March 2024', 'PII/PHI potentially accessed'], claim_options: ['Out-of-pocket expenses (up to $500)', 'Extraordinary losses (up to $2,500)', 'Pro rata cash payment', '2 years of three-bureau credit monitoring + CyEx Medical Shield Total'], deadlines: {'opt_out': '2025-10-13', 'claim_submission': '2025-11-11', 'final_approval_hearing': '2025-11-14'}, payout_methods: ['PayPal', 'Venmo', 'Zelle', 'Paper check (mail-only)'], required_documentation: ['Notice ID and PIN from settlement notice', 'Receipts/bills for out-of-pocket expenses', 'Police reports/statements for extraordinary losses'] and .
Corrective Actions: Provided Training Sessions To Staff, Took Disciplinary Action,
Root Causes: Software Error
Corrective Actions: Settlement Payments, Credit/Medical Monitoring For Affected Individuals,
Root Causes: Human Error In Data Transmission (Emailing Excel Workbook To Unauthorized Recipient),
Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Cybersecurity specialists.
Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Provided Training Sessions To Staff, Took Disciplinary Action, , Settlement Payments, Credit/Medical Monitoring For Affected Individuals, .
Last Attacking Group: The attacking group in the last incident were an Employee of naviHealth and Unauthorized third party.
Most Recent Incident Detected: The most recent incident detected was on August 2016.
Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2024-03.
Highest Financial Loss: The highest financial loss from an incident was {'settlement_fund': '$675,000', 'individual_claims': {'out_of_pocket_expenses': 'Up to $500', 'extraordinary_losses': 'Up to $2,500', 'pro_rata_cash_payment': 'Varies (based on remaining funds)'}, 'administrative_costs': {'settlement_administration': 'To be determined', 'attorneys_fees': 'Amount pending court approval', 'class_representative_award': 'Up to $2,500'}}.
Most Significant Data Compromised: The most significant data compromised in an incident were name, account number, admission date, length of stay, total charges, unit they were seen in, room number they were seen in, insurance carrier name, , Highly sensitive information, , Employee names, Employee ID numbers, Social Security Numbers, , Demographic Information, Clinical Information, , Names, Social Security Numbers, Health Insurance Details, , Name, Contact information, Date of birth, Social Security number, Location of services, Clinical/diagnosis information, Patient account number, Medical record number, , names, account numbers, medical information and .
Most Significant System Affected: The most significant system affected in an incident was Electronic health record systems and Electronic Health RecordsOther IT Systems and IT systemsEHR systems and electronic health recordsother systems and Employee Self Service system.
Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was Cybersecurity specialists.
Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident was systems taken offline.
Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Date of birth, Location of services, Patient account number, Demographic Information, unit they were seen in, account numbers, name, room number they were seen in, Contact information, Social Security Numbers, Highly sensitive information, Name, total charges, Clinical/diagnosis information, medical information, insurance carrier name, Clinical Information, Names, Employee ID numbers, Social Security number, length of stay, admission date, Employee names, Medical record number, account number, Health Insurance Details and names.
Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 0.
Most Significant Legal Action: The most significant legal action taken for a regulatory violation was Class action lawsuit, , Class action lawsuit settled for $675,000, .
Most Recent Source: The most recent source of information about an incident are Class Action Settlement Notice, Class action lawsuit, California Office of the Attorney General, Settlement Administrator (R1/Dignity Data Incident Settlement) and Dignity Health.
Current Status of Most Recent Investigation: The current status of the most recent investigation is Settled (no further details on root cause investigation).
Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was Written notifications to affected patients, Settlement claims process, .
Most Recent Customer Advisory: The most recent customer advisory issued were an eligibility_criteria: ['Patients of Dignity Health St. Rose Dominican Hospital, Rosa de Lima Campus', 'Received written notification in/around March 2024', 'PII/PHI potentially accessed'], claim_options: ['Out-of-pocket expenses (up to $500)', 'Extraordinary losses (up to $2,500)', 'Pro rata cash payment', '2 years of three-bureau credit monitoring + CyEx Medical Shield Total'], deadlines: {'opt_out': '2025-10-13', 'claim_submission': '2025-11-11', 'final_approval_hearing': '2025-11-14'}, payout_methods: ['PayPal', 'Venmo', 'Zelle', 'Paper check (mail-only)'], required_documentation: ['Notice ID and PIN from settlement notice', 'Receipts/bills for out-of-pocket expenses', 'Police reports/statements for extraordinary losses'] and .
Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Software Error, Human error in data transmission (emailing Excel workbook to unauthorized recipient).
Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Provided training sessions to staffTook disciplinary action, Settlement paymentsCredit/medical monitoring for affected individuals.
.png)
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.16, 20.3.14, and 21.0.1, there is a XSRF token leakage via protocol-relative URLs in angular HTTP clients. The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain. Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header. This issue has been patched in versions 19.2.16, 20.3.14, and 21.0.1. A workaround for this issue involves avoiding using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs.
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs. This issue has been patched in version 1.3.2.
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Integer Overflow vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs. These arcs may be decoded as smaller, trusted OIDs due to 32-bit bitwise truncation, enabling the bypass of downstream OID-based security decisions. This issue has been patched in version 1.3.2.
Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, working with large buffers in Lua scripts can lead to a stack overflow. Users of Lua rules and output scripts may be affected when working with large buffers. This includes a rule passing a large buffer to a Lua script. This issue has been patched in versions 7.0.13 and 8.0.2. A workaround for this issue involves disabling Lua rules and output scripts, or making sure limits, such as stream.depth.reassembly and HTTP response body limits (response-body-limit), are set to less than half the stack size.
Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. In versions from 8.0.0 to before 8.0.2, a NULL dereference can occur when the entropy keyword is used in conjunction with base64_data. This issue has been patched in version 8.0.2. A workaround involves disabling rules that use entropy in conjunction with base64_data.
Get company history
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rapid