The CommonSpirit Health ransomware data breach class action reflects the growing legal complexity around healthcare data security incidents and patient compensation. Multiple ransomware attacks on CommonSpirit Health—a 140-hospital healthcare system—exposed sensitive data for hundreds of thousands of patients between 2022 and 2024. However, pursuing legal claims has proven challenging, as federal judges have dismissed several lawsuits based on legal technicalities rather than the merits of the data breaches themselves. CommonSpirit Health faced at least three significant security incidents.
In September 2022, a ransomware attack cost the health system $160 million and exposed personal information for over 623,700 patients. Then in May 2023, the MOVEit vulnerability allowed attackers to access data for approximately 11.4 million patients. A third incident compromised another vendor system in November 2024. Despite the scale of exposure, patients seeking compensation through class action litigation have encountered major obstacles, with courts recommending dismissal in multiple cases.
Table of Contents
- What Happened During CommonSpirit Health’s Major Ransomware Attacks?
- Why Have Courts Dismissed CommonSpirit Data Breach Lawsuits?
- Which Patients Are Affected and What Data Was Exposed?
- What Are the Differences Between the Class Action Lawsuits and the MOVEit MDL?
- What Are the Legal and Practical Obstacles to Patient Recovery?
- What Should Affected Patients Do Now?
- What’s the Outlook for CommonSpirit Data Breach Litigation?
- Conclusion
What Happened During CommonSpirit Health’s Major Ransomware Attacks?
The 2022 attack struck between September 16 and October 3, 2022, when hackers deployed ransomware across CommonSpirit’s network. This wasn’t a targeted strike against a single facility—the attack affected multiple hospital systems within the CommonSpirit network across several states. The healthcare provider confirmed that personal data including names, Social Security numbers, dates of birth, and insurance information were accessed. The $160 million financial impact included costs for incident response, notification, credit monitoring services, and operational disruptions during the attack window.
The May 2023 MOVEit breach represents a different threat vector but similar consequences. Attackers exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer platform—a file transfer tool widely used across healthcare organizations. The Cl0p ransomware gang took advantage of this unpatched software to access CommonSpirit’s database, ultimately compromising data for an estimated 11.4 million patients. This number was substantially larger than initial disclosures, illustrating how healthcare breaches often expand during investigation. The 2024 vendor incident revealed that some unauthorized access continued as recently as November 2024, affecting even more patients through a third-party contractor.
Why Have Courts Dismissed CommonSpirit Data Breach Lawsuits?
federal judges in Illinois (October 2023) and other jurisdictions (April 2025) recommended dismissing data breach class actions against CommonSpirit Health—not because the breaches didn’t happen, but because of a legal concept called “Article III standing.” Essentially, courts have found that patients who suffered data exposure but haven’t shown actual financial harm from identity theft or fraud may lack the legal right to sue, even though their information was compromised. This is a critical limitation for data breach plaintiffs: exposure alone may not be enough to win in court, a stark contrast to how many people expect privacy violations to be automatically compensable. This dismissal pattern reflects a broader trend in healthcare data breach litigation.
Companies argue—and some courts agree—that exposure to the risk of identity theft is different from actual documented harm. The fact that CommonSpirit offered credit monitoring and identity theft protection services to affected patients became part of the defense strategy, suggesting that mitigation efforts could reduce standing. However, this creates a frustrating situation for patients: they must wait to see if fraud actually occurs before they can potentially recover damages, rather than receiving compensation for the exposure risk itself. The MDL consolidation (In re MOVEit Customer Data Security Breach) does continue, which may provide other avenues for resolution, though outcomes remain uncertain.
Which Patients Are Affected and What Data Was Exposed?
The three separate incidents affected patient populations with overlap but distinct timeframes. The 623,700 patients from the 2022 attack represent the initial exposed group. The 11.4 million affected by the MOVEit breach in 2023 represent a vastly larger exposure, though some patients may have appeared in both incidents. The 2024 vendor incident added another population to the growing number of affected individuals.
CommonSpirit’s scale as a 140-hospital system across multiple states means the breach affected patients across wide geographic areas, from Washington state to Nebraska to beyond. The types of personal information exposed include highly sensitive data that identity thieves actively seek: names, Social Security numbers, dates of birth, insurance information, and in some cases medical record numbers and clinical information. This combination of data is particularly dangerous because Social Security numbers and dates of birth are authentication factors used by banks, credit agencies, and government agencies. Unlike a data breach that exposes only email addresses, this exposure creates immediate risk for fraudulent account opening, medical identity theft (where criminals obtain medical services under the victim’s identity), and financial fraud. The extended timeframe of the incidents—from September 2022 through November 2024—means some patients’ exposed data has been circulating in the dark web or among criminal networks for over a year.
What Are the Differences Between the Class Action Lawsuits and the MOVEit MDL?
The class action lawsuits filed directly against CommonSpirit Health target the health system as the organization responsible for protecting patient data and managing its security vendors. These lawsuits typically seek damages for breach-related expenses, emotional distress, and credit monitoring. However, the judicial dismissals based on standing issues have blocked progress in multiple state courts. The MOVEit MDL, by contrast, consolidates dozens of class actions against the software vendor (Progress Software), its subsidiary Nuance, health service vendors (Welltok/Virgin Pulse), and health system clients including CommonSpirit.
This litigation strategy distributes liability across the broader ecosystem. The advantage of MDL consolidation is that courts handle similar legal questions together, creating efficiency and reducing inconsistent rulings. The disadvantage is that liability may be spread so thin across multiple defendants that individual patient recoveries become smaller—or that disputes between defendants over who bears responsibility delay settlements. For patients, the MOVEit MDL represents a potentially more viable legal path than the direct CommonSpirit lawsuits, though outcomes remain uncertain.
What Are the Legal and Practical Obstacles to Patient Recovery?
Beyond the standing issue, patients face several barriers to compensation. The statute of limitations in many states limits how long plaintiffs have to file lawsuits—and the clock often starts from when the breach is discovered, not when patients realize harm occurred. For healthcare breaches, discovery can take months, consuming valuable time on the statute of limitations. Additionally, proving causation between the data exposure and actual financial harm requires documentation: credit card statements showing fraudulent charges, credit reports showing unauthorized accounts, or medical records showing fraudulent services.
Many identity theft victims don’t notice issues for months or years, by which time the statute of limitations may have expired. A significant warning: patients who have not yet experienced identity theft or fraud have encountered the standing problem in CommonSpirit cases. This creates a perverse incentive structure where a patient must suffer actual financial harm before the legal system recognizes their claim as valid. Conversely, patients who paid for credit monitoring themselves—without waiting for CommonSpirit’s free offer—may find those costs difficult to recover. The complexity of multiparty litigation, where Progress Software’s liability is distinct from CommonSpirit Health’s liability, also means that settlement agreements may require independent proof of membership in the affected population, further burdening patients.
What Should Affected Patients Do Now?
If your data was exposed in any of the CommonSpirit Health incidents, take immediate steps to protect your identity. Enroll in the free credit monitoring services CommonSpirit has offered to affected patients, and check your credit reports from all three bureaus (Equifax, Experian, TransUnion) for suspicious accounts or inquiries. Place a fraud alert on your credit file, which alerts lenders to verify your identity before opening new accounts.
For one-year protection, use www.equifax.com/fraud, www.experian.com/fraud, or www.transunion.com/fraud directly. Monitor your medical bills and explanation of benefits statements for healthcare you didn’t receive—medical identity theft is a growing issue in healthcare breaches. Consider a credit freeze if you’re concerned about new account fraud, which prevents new credit accounts from being opened in your name without your explicit authorization (the cost is now free in most states). Document any fraudulent transactions or unauthorized accounts if they occur, as this documentation will be necessary for any class action settlement or lawsuit claim.
What’s the Outlook for CommonSpirit Data Breach Litigation?
The dismissal of direct lawsuits against CommonSpirit Health suggests that patients will need to pursue claims through the MOVEit MDL if litigation is viable at all. Settlement discussions in that consolidated action could eventually provide compensation for affected patients, though the amount and timeline remain unknown. The trend of courts dismissing healthcare breach cases based on standing issues may prompt legislative action—several states are considering laws that would establish a private right of action for data exposure itself, not just proven fraud.
Healthcare organizations continue to face heightened scrutiny over vendor security and ransomware preparedness. The fact that CommonSpirit faced multiple incidents over two years suggests ongoing vulnerability, and future litigation could focus on whether the health system adequately remediated after the initial 2022 attack. For patients, patience and vigilance remain essential while legal proceedings unfold.
Conclusion
The CommonSpirit Health ransomware data breach class action illustrates the challenge of seeking legal remedies for large-scale healthcare data exposure. With $160 million in costs and millions of patients affected across multiple incidents, the scale is undeniable—but legal barriers have blocked direct compensation pathways. Federal courts have dismissed several lawsuits based on technical standing issues rather than ruling on the merits of the breaches themselves, redirecting focus toward the consolidated MOVEit litigation involving multiple defendants.
For affected patients, the immediate priority is proactive identity protection: enroll in credit monitoring, monitor your credit reports and medical bills, and document any fraudulent activity. While class action settlements through the MOVEit MDL remain possible, outcomes are uncertain and could take years to resolve. Advocacy for stronger data privacy legislation and enforcement may ultimately provide more meaningful protection than existing litigation remedies.