CommonSpirit Health, one of the largest Catholic health systems in the United States operating over 140 hospitals across 21 states, disclosed that patient data was exposed through a ransomware attack on Pinnacle Holdings Ltd. — a subcontractor of healthcare consulting firm NorthGauge Healthcare Advisors, which itself works with CommonSpirit. The attack occurred between November 11 and November 25, 2024, but affected individuals were not notified until early 2026 — a 14-month gap from intrusion to patient notification. At least 19,027 Washington state residents are confirmed affected, with the full national scope still undetermined as the incident has not yet appeared on the HHS Office for Civil Rights breach portal.
What Happened
The attack chain spans three organizational layers: CommonSpirit Health (the healthcare provider), NorthGauge Healthcare Advisors (a consulting firm contracted by CommonSpirit), and Pinnacle Holdings Ltd. (a subcontractor used by NorthGauge). The ransomware operators breached Pinnacle's network and maintained access for 14 days — November 11 through November 25, 2024 — exfiltrating files before being detected. Pinnacle isolated its network upon detection and engaged a third-party forensic firm to review the compromised data.
The timeline of disclosure is as damning as the breach itself: - November 2024 — Intrusion occurs; Pinnacle detects and contains it - November 2025 — One full year later, Pinnacle informs NorthGauge of the breach - January 30, 2026 — NorthGauge confirms the identities of affected individuals - February 2, 2026 — CommonSpirit Health is notified about impacted Washington residents - March 2026 — Breach notices filed with the Washington Attorney General; patients notified
From intrusion to patient notification: approximately 14–15 months. The forensic review of exfiltrated files — necessary to determine whether specific individuals' PHI was included — accounts for part of the delay, but a 12-month gap between breach and subcontractor notification to the consulting firm is extraordinarily prolonged and almost certainly non-compliant with HIPAA breach notification requirements.
What Was Taken
The specific data categories exposed have not been fully enumerated in public filings. Based on the nature of NorthGauge's consulting relationship with CommonSpirit and the confirmed involvement of patient data, the exfiltrated files likely include:
- Patient names and demographic information
- Health record identifiers linking individuals to CommonSpirit's system
- Potentially clinical or administrative data shared with NorthGauge in the course of healthcare consulting engagements
- Internal consulting documents containing patient-level data used in performance analysis, utilization review, or population health work
The Washington AG breach notice confirms patient data was involved. The absence of the incident from the HHS OCR breach portal — which tracks healthcare breaches affecting 500 or more individuals — suggests national-level notifications either remain in progress or have not yet been filed, leaving the true scope of affected patients unknown.
Why It Matters
This case is a textbook illustration of fourth-party risk: the threat doesn't come from your vendor, it comes from your vendor's vendor. CommonSpirit Health had no direct contractual relationship with Pinnacle Holdings, yet Pinnacle held data traceable to CommonSpirit's patients. This is now standard operating condition across U.S. healthcare: large health systems sit at the top of sprawling vendor ecosystems where patient data flows freely several tiers deep.
The 14-month notification delay is a systemic failure across all three organizations. HIPAA's Breach Notification Rule requires covered entities and their business associates to notify affected individuals within 60 days of discovering a breach. A subcontractor that takes 12 months to inform the consulting firm it works with is not operating within any reasonable interpretation of that obligation — and a consulting firm that then takes two more months to confirm affected individuals compounds the failure.
CommonSpirit is no stranger to catastrophic cyber incidents. In October 2022, the health system suffered a direct ransomware attack that disrupted operations across hundreds of facilities for weeks. The recurrence of patient data exposure — this time via an indirect vendor chain — signals that supply chain security controls remain inadequate even at large, well-resourced health systems.
The Attack Technique
The specific initial access vector for the Pinnacle Holdings intrusion has not been publicly disclosed. The 14-day dwell period before detection is relatively short by ransomware standards, suggesting either automated detection triggered containment or the attackers moved quickly to exfiltration and encryption without extended reconnaissance. Key characteristics of the attack:
- Double extortion pattern — Files were exfiltrated before the network was isolated, indicating data theft preceded or accompanied encryption — consistent with the dominant ransomware model of 2024–2026
- 14-day active access window — Sufficient time for systematic file staging and bulk exfiltration of sensitive consulting documents
- Subcontractor targeting — Pinnacle Holdings as a smaller vendor likely had materially weaker security controls than either NorthGauge or CommonSpirit, making it an attractive proxy target for accessing healthcare supply chain data
The ransomware group responsible has not been publicly named in available reporting.
What Organizations Should Do
-
Map your vendor ecosystem to the third and fourth tier — Most healthcare organizations can name their direct vendors but cannot identify their vendors' vendors. Conduct a supply chain mapping exercise that traces where patient data flows beyond your direct BAAs. Every organization in that chain with access to PHI is a potential breach vector and a HIPAA compliance obligation.
-
Require mandatory breach notification SLAs from all vendors and subcontractors — Pinnacle's 12-month delay in notifying NorthGauge is possible only because no contractual SLA required faster action. All BAAs and vendor agreements should specify notification within 5–10 business days of confirmed or suspected unauthorized access, with financial penalties for non-compliance and termination rights for material delays.
-
Conduct annual security assessments of high-risk subcontractors — Healthcare consulting firms that receive patient-level data for analytics, utilization review, or population health work should be required to demonstrate the security posture of their own subcontractors. Request SOC 2 Type II reports, penetration test summaries, or conduct right-to-audit assessments for any fourth-party that handles PHI.
-
Implement data minimization in consulting engagements — NorthGauge's consulting work with CommonSpirit should not require transferring individually identifiable patient data to a subcontractor unless strictly necessary. Anonymized or de-identified datasets should be used for consulting analytics wherever possible, limiting breach impact when subcontractor security fails.
-
Verify HHS OCR reporting compliance across your vendor chain — The absence of this incident from the HHS OCR breach portal despite confirmed patient impact in Washington state suggests a potential federal reporting gap. Covered entities should actively monitor whether their BAA partners are meeting federal breach reporting obligations, not just state AG filings, and treat unreported breaches as compliance violations in their vendor risk programs.
-
Accelerate forensic review timelines for exfiltrated healthcare data — The stated reason for the extended notification delay was the time required to review exfiltrated files for PHI. Healthcare organizations and their vendors should pre-position relationships with forensic review firms that specialize in PHI identification in bulk file sets, with predefined escalation timelines that do not allow forensic review to stretch beyond 90 days under any circumstances.