Hospital Sisters Well being System notified over 882,000 sufferers that an August 2023 cyberattack led to an information breach that uncovered their private and well being data.
Established in 1875, HSHS works with over 2,200 physicians and has round 12,000 workers. It additionally operates a community of doctor practices and 15 native hospitals throughout Illinois and Wisconsin, together with two youngsters’s hospitals.
The non-profit healthcare system mentioned in information breach notifications despatched to these impacted that the incident was found on August 27, 2023, after detecting that the attacker had gained entry to HSHS’ community.
After the safety breach, its methods have been additionally impacted by a widespread outage that took down “nearly all working methods” and cellphone methods throughout Illinois and Wisconsin hospitals. HSHS additionally employed exterior safety specialists to analyze the assault, assess its affect, and assist its IT group restore affected methods.
“We’re prioritizing affected person security as we set up a course of for restoration. With the help of third-party specialists, we’re bringing our methods again on-line as rapidly and as safely as attainable,” HSHS mentioned in a September 2024 assertion. “A well being system of our dimension operates a whole bunch of system purposes throughout 1000’s of servers, and as such, our restoration and investigative work will take a while to finish.
Whereas the incident and the ensuing outage have all of the indicators of a ransomware assault, no ransomware operation has claimed the breach.
Following the forensic investigation, HSHS discovered that the attackers had accessed recordsdata on compromised methods between August 16 and August 27, 2023.
“We’ve got since been reviewing these recordsdata and notifying people whose data was discovered within the recordsdata on a rolling foundation as our assessment has continued,” it mentioned.
The knowledge accessed by the menace actors whereas inside HSHS’ methods varies for every impacted particular person, and it features a mixture of title, tackle, date of start, medical report quantity, restricted remedy data, medical health insurance data, Social Safety quantity, and/or driver’s license quantity.
Whereas HSHS added that there isn’t any proof that the victims’ data has been utilized in fraud or identification theft makes an attempt, it warned affected people to watch their account statements and credit score experiences for suspicious exercise. The well being system additionally provides these affected by the breach one yr of free Equifax credit score monitoring.
An HSHS spokesperson was not instantly obtainable for remark when contacted by BleepingComputer earlier immediately to verify if the info breach resulted from a ransomware assault.
Final week, Connecticut healthcare supplier Neighborhood Well being Middle (CHC) alerted over 1 million sufferers of an information breach, whereas New York Blood Middle (NYBC), one of many world’s largest unbiased blood assortment and distribution organizations, mentioned {that a} ransomware assault pressured it to reschedule some appointments.
Earlier this month, UnitedHealth revealed that round 190 million People had their data stolen in final yr’s Change Healthcare ransomware assault, nearly doubling the 100 million disclosed in October.
In late December, the U.S. Division of Well being and Human Providers (HHS) proposed HIPAA updates to safe sufferers’ well being information in response to a surge of huge healthcare safety breaches.