Common Spirit 2023 Data Breach
ObscureIQ Breach Intelligence
High SeverityWebsite / service breach
CommonSpirit Health System Breach (2023): 11 Million Patient Records Including Medical Diagnoses Exposed
CommonSpirit Health - nonprofit Catholic hospital network operating 140+ hospitals across 21 states.
Verified by ObscureIQ Intelligence
65/100Breach Risk Index
40Data Value
25Market Recency
509dSince Breach
Breach Intelligence Summary
Entity: Common Spirit · Actor: Cl0p · Sources: 2 references
Attack: Ransomware
Profile: Healthcare System · Hospital, clinic, and community health services · Nonprofit health system · USA
Timeline: Breach (2023-05-31) · Indexed (Dec 04, 2024) · Year (2023)
Exposure: 11.4M records · 6 fields: Account Balance, Email Address, Full Name, Medical Diagnosis, Phone Number, Physical Address
Status: Reported
Executive Summary
CommonSpirit Health, one of the largest nonprofit hospital networks in the United States, was swept up in the Cl0p ransomware gang's 2023 assault on the MOVEit file transfer platform. Attackers exploited a zero-day vulnerability in Progress Software's MOVEit Transfer tool during a window spanning May 28 to 31, 2023. The breach reached CommonSpirit through Nuance Communications, a transcription vendor used by several of its facilities that was routing files through the compromised platform. The full scale of the exposure did not become clear until December 2024, when a database labeled "commonspirit.org-2024" appeared on an underground marketplace containing 11,432,572 rows of patient records, roughly twice the number CommonSpirit had initially disclosed as at risk. The exposed data includes full names, home addresses, phone numbers, email addresses, treating physician names, diagnosis and treatment codes, insurance provider details, and patient account balances. Medical diagnosis data was present for the full 11.4 million records. The combination of clinical and contact information creates serious risk for affected individuals. Security analysts have warned that this type of data can be used to carry out medical identity theft, prescription fraud, and highly targeted phishing attacks that exploit a person's specific treatment history or care relationships. CommonSpirit's September 2023 disclosure characterized the exposure as limited to basic service information, drawing criticism that the true scope was significantly understated. The company offered one year of credit monitoring to affected individuals. Multiple class-action lawsuits were filed alleging negligence and inadequate notification; some were dismissed for lack of standing, though CommonSpirit remains a named defendant in the consolidated MOVEit multidistrict litigation pending in the District of Massachusetts. Affected patients face long-term exposure to fraud and scams and should monitor their insurance claims, medical records, and financial accounts for unauthorized activity.
ObscureIQ assessment: Severe risk of identity theft, medical fraud, insurance abuse, and targeted scams exploiting care relationships or treatment status.
Breach Impact
The 2023 incident reflects Cl0p's exploitation of a zero-day vulnerability in Progress Software's MOVEit Transfer platform at Nuance Communications, a transcription vendor serving CommonSpirit facilities. The attack window ran May 28–29, 2023. CommonSpirit posted an initial notice in September 2023 characterizing the exposure as limited — patient name, facility name, date and type of service, and for some patients a medical record number. A far broader dataset of 11.4 million records — including medical diagnoses and account balances — appeared on an underground marketplace in December 2024, contradicting the initial disclosure and drawing criticism that the scope had been understated. CommonSpirit offered one year of credit monitoring to affected individuals. Multiple class-action lawsuits were filed alleging negligence and delayed notification; some were dismissed for lack of standing at the district court level. CommonSpirit is a named defendant in the consolidated MOVEit multidistrict litigation in the District of Massachusetts.
About Common Spirit
CommonSpirit Health is one of the largest nonprofit Catholic hospital networks in the United States, formed through the 2019 merger of Dignity Health and Catholic Health Initiatives. The system operates more than 140 hospitals and 1,000 care sites across 21 states, serving approximately 20 million patients annually. It is headquartered in Chicago and employs more than 150,000 people. Regional operations include CHI Health, Virginia Mason Franciscan Health, and dozens of other affiliated networks.
Why They Hold Your Data
Large nonprofit health systems collect patient identity, contact, insurance, billing, appointment, and clinical records across hospitals, clinics, and community-care operations.
Recent Developments
CommonSpirit has been managing financial and operational recovery across its large hospital portfolio. The system reported a $160 million estimated cost from a major 2022 ransomware attack — separate from the 2023 MOVEit incident in this database — related to business interruption and remediation. The organization has continued its mission-driven care delivery model while facing sustained pressure from the combined costs of two significant security incidents in consecutive years.
Data Points Exposed
6 verified field types
Account Balance High
Email Address
Full Name High
Medical Diagnosis Critical
Phone Number
Physical Address High
Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.
Exploitation & Downstream Threats
Threat Activity:Critical
Primary downstream threats:
- SIM swap attacks where phone numbers are present
- Targeted phishing campaigns using exposed email addresses
- Doxxing risk from physical address exposure
- Medical identity fraud or insurance abuse using health data
Threat vectors:
- High-value targeting
- Phishing, credential stuffing & account takeover
- Name-based social engineering
- Medical extortion, insurance fraud & discrimination
- SIM swapping, vishing & SMS phishing
- Physical stalking, mail fraud & identity verification
- Home targeting, stalking & physical threat
Threat Actor: Cl0p
Cl0p
Ransomware
Attribution and method are based on available breach intelligence. Reported attack vector: Ransomware.
Recommended Actions
If you believe your information may be included:
Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
Frequently Asked Questions
What happened in the Common Spirit breach?▾
CommonSpirit Health, one of the largest nonprofit hospital networks in the United States, was swept up in the Cl0p ransomware gang's 2023 assault on the MOVEit file transfer platform. Attackers exploited a zero-day vulnerability in Progress Software's MOVEit Transfer tool during a window spanning…
What data was exposed?▾
Verified fields include Account Balance, Email Address, Full Name, Medical Diagnosis, Phone Number, Physical Address.
What should I do if I was affected?▾
Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.
Sources & References
Every claim on this page is traceable. This breach draws on:
Breach Index
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Protect Yourself
Check If You're Affected
Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.
Get Free Breach Alerts
Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.
High-Risk? Get an Exposure Audit
Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.
Request Consultation