CommonSpirit Health Data Breach Exposes 19,027 Patient Records

A data breach at a healthcare consulting company has exposed the personal and medical information of patients connected to CommonSpirit Health, one of the largest nonprofit health systems in the United States. The breach affected at least 19,027 Washington state residents, according to a disclosure filed with the Washington State Attorney General on Feb. 25, 2026.

The breach took place between Nov. 11 and Nov. 25, 2024, when an unauthorized actor accessed systems belonging to Pinnacle Holdings Ltd., a healthcare consulting vendor. The exposed information may include names, dates of birth, Social Security numbers, medical records and other sensitive data.

CommonSpirit Health learned about the affected Washington residents on Feb. 2, 2026.

How the breach unfolded

On Nov. 25, 2024, Pinnacle Holdings Ltd. discovered a network disruption affecting certain systems. The incident was reported as a ransomware attack. According to the notification sent to consumers, Pinnacle isolated its network, implemented additional security measures, and engaged third-party specialists to investigate the nature and scope of the incident.

The investigation determined that an unauthorized actor accessed a portion of Pinnacle's network and copied limited information between Nov. 11 and Nov. 25, 2024. Pinnacle then launched a review to determine what types of data were involved and which individuals were affected.

Pinnacle is a healthcare consulting company that served as a vendor to Northgauge Healthcare Advisors. Northgauge, in turn, provides services to CommonSpirit Health. Through this chain of vendor relationships, patient information connected to CommonSpirit Health was stored on Pinnacle's systems at the time of the breach.

The timeline for notifying affected individuals stretched over more than a year. According to the disclosure filed with the Washington Attorney General, Pinnacle initially notified Northgauge of the incident in November 2025, roughly 12 months after the breach occurred. However, confirming and identifying the specific individuals whose data was affected was not completed until Jan. 30, 2026. Northgauge then notified CommonSpirit Health on Feb. 2, 2026, about the Washington residents involved in the incident.

The types of information that may have been exposed vary by individual. According to the consumer notification, the compromised data could include patient name, address, phone number, email address, Social Security number, driver's license or state ID number, date of birth, medical diagnosis and treatment information, prescription information, date of service, patient ID number, provider name, medical record number, Medicare or Medicaid number, health insurance information, health insurance claim number, health insurance policy number and treatment cost information.

What is being done in response

Upon discovering the breach, Pinnacle reported the incident to law enforcement and launched an investigation. The company also implemented additional safeguards to strengthen data security and help prevent similar incidents in the future.

CommonSpirit Health has posted a notice about the incident on its website. Notification letters are being mailed to affected individuals as contact information is confirmed. Those letters include details about the breach and steps people can take to protect themselves.

Affected individuals are being offered free credit monitoring and identity protection services through Kroll. According to the notification letter, these services include:

• Single bureau credit monitoring, which sends alerts when changes appear on a person's credit file, such as a new credit application filed in their name
• Fraud consultation, which provides unlimited access to a Kroll specialist who can help explain rights, assist with fraud alerts and investigate suspicious activity
• Identity theft restoration, which assigns a dedicated Kroll investigator to help resolve identity theft issues if someone becomes a victim

To activate these services, affected individuals can visit Kroll's enrollment website using the membership number included in their notification letter. There is a deadline to enroll, which is also listed in the letter.

Pinnacle has set up a dedicated call center to answer questions about the breach. It can be reached at 866-686-2607 between 7 a.m. and 4:30 p.m. Mountain Time, Monday through Friday, excluding major U.S. holidays.

People can also write to Pinnacle at 9085 E. Mineral Circle, Suite 110, Centennial, CO 80112.

Steps to take if your information was exposed

Because this breach involved Social Security numbers, medical records and other highly sensitive data, affected individuals should act quickly to protect themselves. Here are specific steps to consider.

Place a credit freeze. A credit freeze prevents new credit accounts from being opened using a person's personal information. It is free to place and lift under federal law. Affected individuals should contact all three major credit bureaus:

• TransUnion: 1-800-680-7289 or transunion.com
• Experian: 1-888-397-3742 or experian.com
• Equifax: 1-888-298-0045 or equifax.com

Set up a fraud alert. A fraud alert requires businesses to verify a person's identity before extending new credit. An initial fraud alert lasts one year. Victims of identity theft can request an extended alert lasting seven years. Contacting any one of the three credit bureaus will place the alert across all three.

Monitor credit reports. Under federal law, everyone is entitled to one free credit report per year from each of the three major bureaus. These can be requested at AnnualCreditReport.com or by calling 1-877-322-8228. Individuals should review their reports carefully for unfamiliar accounts or credit inquiries they did not authorize.

Review medical records and insurance statements. Because protected health information was potentially exposed, affected individuals should carefully review their Explanation of Benefits statements from their health insurance plans. They should look for medical services, prescriptions or charges they do not recognize. These could be signs of medical identity theft. If anything looks wrong, they should contact their health insurance provider right away.

Request an IRS Identity Protection PIN. Since Social Security numbers may have been exposed, affected individuals may want to request an Identity Protection PIN from the IRS. This six-digit number helps prevent someone else from filing a tax return using their Social Security number.

Watch for phishing attempts. People affected by this breach should be cautious of emails, phone calls or text messages that reference CommonSpirit Health, Pinnacle Holdings or this specific incident. Scammers sometimes use breach notifications as an opportunity to trick people into sharing more personal information. Legitimate notices about this breach will never ask for passwords or payment information.

File a report if needed. Anyone who discovers suspicious activity or becomes a victim of identity theft has the right to file a report with local law enforcement. They can also file a complaint with the Federal Trade Commission at identitytheft.gov or by calling 1-877-438-4338.