Hospital Sisters Health System notified over 882,000 patients that an August 2023 cyberattack led to a data breach that exposed their personal and health information.
Established in 1875, HSHS works with over 2,200 physicians and has around 12,000 employees. It also operates a network of physician practices and 15 local hospitals across Illinois and Wisconsin, including two children’s hospitals.
The non-profit healthcare system said in data breach notifications sent to those impacted that the incident was discovered on August 27, 2023, after detecting that the attacker had gained access to HSHS’ network.
After the security breach, its systems were also impacted by a widespread outage that took down “virtually all operating systems” and phone systems across Illinois and Wisconsin hospitals. HSHS also hired external security experts to investigate the attack, assess its impact, and help its IT team restore affected systems.
“We are prioritizing patient safety as we establish a process for restoration. With the support of third-party experts, we are bringing our systems back online as quickly and as safely as possible,” HSHS said in a September 2024 statement. “A health system of our size operates hundreds of system applications across thousands of servers, and as such, our restoration and investigative work will take some time to complete.
While the incident and the resulting outage have all the signs of a ransomware attack, no ransomware operation has claimed the breach.
Following the forensic investigation, HSHS found that the attackers had accessed files on compromised systems between August 16 and August 27, 2023.
“We have since been reviewing those files and notifying individuals whose information was found in the files on a rolling basis as our review has continued,” it said.
The information accessed by the threat actors while inside HSHS’ systems varies for each impacted individual, and it includes a combination of name, address, date of birth, medical record number, limited treatment information, health insurance information, Social Security number, and/or driver’s license number.
While HSHS added that there is no evidence that the victims’ information has been used in fraud or identity theft attempts, it warned affected individuals to monitor their account statements and credit reports for suspicious activity. The health system also offers those affected by the breach one year of free Equifax credit monitoring.
An HSHS spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today to confirm if the data breach resulted from a ransomware attack.
Last week, Connecticut healthcare provider Community Health Center (CHC) alerted over 1 million patients of a data breach, while New York Blood Center (NYBC), one of the world’s largest independent blood collection and distribution organizations, said that a ransomware attack forced it to reschedule some appointments.
Earlier this month, UnitedHealth revealed that around 190 million Americans had their information stolen in last year’s Change Healthcare ransomware attack, almost doubling the 100 million disclosed in October.
In late December, the U.S. Department of Health and Human Services (HHS) proposed HIPAA updates to secure patients’ health data in response to a surge of massive healthcare security breaches.
Source link
-
-
-
-
-
-
-
-
