Hospital Sisters Well being System notified over 882,000 sufferers that an August 2023 cyberattack led to a knowledge breach that uncovered their private and well being info.
Established in 1875, HSHS works with over 2,200 physicians and has round 12,000 staff. It additionally operates a community of doctor practices and 15 native hospitals throughout Illinois and Wisconsin, together with two kids’s hospitals.
The non-profit healthcare system mentioned in information breach notifications despatched to these impacted that the incident was found on August 27, 2023, after detecting that the attacker had gained entry to HSHS’ community.
After the safety breach, its techniques have been additionally impacted by a widespread outage that took down “just about all working techniques” and telephone techniques throughout Illinois and Wisconsin hospitals. HSHS additionally employed exterior safety specialists to research the assault, assess its influence, and assist its IT workforce restore affected techniques.
“We’re prioritizing affected person security as we set up a course of for restoration. With the assist of third-party specialists, we’re bringing our techniques again on-line as rapidly and as safely as attainable,” HSHS mentioned in a September 2024 assertion. “A well being system of our measurement operates a whole bunch of system purposes throughout hundreds of servers, and as such, our restoration and investigative work will take a while to finish.
Whereas the incident and the ensuing outage have all of the indicators of a ransomware assault, no ransomware operation has claimed the breach.
Following the forensic investigation, HSHS discovered that the attackers had accessed recordsdata on compromised techniques between August 16 and August 27, 2023.
“We now have since been reviewing these recordsdata and notifying people whose info was discovered within the recordsdata on a rolling foundation as our assessment has continued,” it mentioned.
The data accessed by the menace actors whereas inside HSHS’ techniques varies for every impacted particular person, and it features a mixture of identify, handle, date of delivery, medical document quantity, restricted remedy info, medical insurance info, Social Safety quantity, and/or driver’s license quantity.
Whereas HSHS added that there is no such thing as a proof that the victims’ info has been utilized in fraud or identification theft makes an attempt, it warned affected people to watch their account statements and credit score experiences for suspicious exercise. The well being system additionally affords these affected by the breach one 12 months of free Equifax credit score monitoring.
An HSHS spokesperson was not instantly accessible for remark when contacted by BleepingComputer earlier at this time to verify if the information breach resulted from a ransomware assault.
Final week, Connecticut healthcare supplier Neighborhood Well being Heart (CHC) alerted over 1 million sufferers of an information breach, whereas New York Blood Heart (NYBC), one of many world’s largest unbiased blood assortment and distribution organizations, mentioned {that a} ransomware assault pressured it to reschedule some appointments.
Earlier this month, UnitedHealth revealed that round 190 million People had their info stolen in final 12 months’s Change Healthcare ransomware assault, nearly doubling the 100 million disclosed in October.
In late December, the U.S. Division of Well being and Human Providers (HHS) proposed HIPAA updates to safe sufferers’ well being information in response to a surge of large healthcare safety breaches.
