CommonSpirit Health, one of the largest nonprofit hospital networks in the United States, was swept up in the Cl0p ransomware gang's 2023 assault on the MOVEit file transfer platform. Attackers exploited a zero-day vulnerability in Progress Software's MOVEit Transfer tool during a window spanning May 28 to 31, 2023. The breach reached CommonSpirit through Nuance Communications, a transcription vendor used by several of its facilities that was routing files through the compromised platform. The full scale of the exposure did not become clear until December 2024, when a database labeled "commonspirit.org-2024" appeared on an underground marketplace containing 11,432,572 rows of patient records, roughly twice the number CommonSpirit had initially disclosed as at risk. The exposed data includes full names, home addresses, phone numbers, email addresses, treating physician names, diagnosis and treatment codes, insurance provider details, and patient account balances. Medical diagnosis data was present for the full 11.4 million records. The combination of clinical and contact information creates serious risk for affected individuals. Security analysts have warned that this type of data can be used to carry out medical identity theft, prescription fraud, and highly targeted phishing attacks that exploit a person's specific treatment history or care relationships. CommonSpirit's September 2023 disclosure characterized the exposure as limited to basic service information, drawing criticism that the true scope was significantly understated. The company offered one year of credit monitoring to affected individuals. Multiple class-action lawsuits were filed alleging negligence and inadequate notification; some were dismissed for lack of standing, though CommonSpirit remains a named defendant in the consolidated MOVEit multidistrict litigation pending in the District of Massachusetts. Affected patients face long-term exposure to fraud and scams and should monitor their insurance claims, medical records, and financial accounts for unauthorized activity.

Large nonprofit health systems collect patient identity, contact, insurance, billing, appointment, and clinical records across hospitals, clinics, and community-care operations.

CommonSpirit has been managing financial and operational recovery across its large hospital portfolio. The system reported a $160 million estimated cost from a major 2022 ransomware attack — separate from the 2023 MOVEit incident in this database — related to business interruption and remediation. The organization has continued its mission-driven care delivery model while facing sustained pressure from the combined costs of two significant security incidents in consecutive years.