Hospital Sisters Well being System notified over 882,000 sufferers that an August 2023 cyberattack led to a data breach that uncovered their private and well being info.
Established in 1875, HSHS works with over 2,200 physicians and has round 12,000 staff. It additionally operates a community of doctor practices and 15 native hospitals throughout Illinois and Wisconsin, together with two kids’s hospitals.
The non-profit healthcare system stated in data breach notifications despatched to these impacted that the incident was found on August 27, 2023, after detecting that the attacker had gained entry to HSHS’ community.
After the security breach, its programs have been additionally impacted by a widespread outage that took down “just about all working programs” and telephone programs throughout Illinois and Wisconsin hospitals. HSHS additionally employed exterior security specialists to analyze the assault, assess its influence, and assist its IT crew restore affected programs.
“We’re prioritizing affected person security as we set up a course of for restoration. With the help of third-party specialists, we’re bringing our programs again on-line as rapidly and as safely as attainable,” HSHS stated in a September 2024 assertion. “A well being system of our dimension operates lots of of system purposes throughout 1000’s of servers, and as such, our restoration and investigative work will take a while to finish.
Whereas the incident and the ensuing outage have all of the indicators of a ransomware assault, no ransomware operation has claimed the breach.
Following the forensic investigation, HSHS discovered that the attackers had accessed recordsdata on compromised programs between August 16 and August 27, 2023.
“We’ve since been reviewing these recordsdata and notifying people whose info was discovered within the recordsdata on a rolling foundation as our assessment has continued,” it stated.
The knowledge accessed by the menace actors whereas inside HSHS’ programs varies for every impacted particular person, and it features a mixture of title, deal with, date of start, medical report quantity, restricted remedy info, medical insurance info, Social Safety quantity, and/or driver’s license quantity.
Whereas HSHS added that there isn’t a proof that the victims’ info has been utilized in fraud or identification theft makes an attempt, it warned affected people to watch their account statements and credit score reviews for suspicious exercise. The well being system additionally affords these affected by the breach one yr of free Equifax credit score monitoring.
An HSHS spokesperson was not instantly out there for remark when contacted by BleepingComputer earlier in the present day to substantiate if the data breach resulted from a ransomware assault.
Final week, Connecticut healthcare supplier Neighborhood Well being Heart (CHC) alerted over 1 million sufferers of a data breach, whereas New York Blood Heart (NYBC), one of many world’s largest unbiased blood assortment and distribution organizations, stated {that a} ransomware assault compelled it to reschedule some appointments.
Earlier this month, UnitedHealth revealed that round 190 million Individuals had their info stolen in final yr’s Change Healthcare ransomware assault, virtually doubling the 100 million disclosed in October.
In late December, the U.S. Division of Well being and Human Companies (HHS) proposed HIPAA updates to safe sufferers’ well being information in response to a surge of huge healthcare security breaches.
