Cyberattack at Loretto Hospital exposes data of over 500 patients

Loretto Hospital, located on Chicago’s West Side, has disclosed a data breach that may have compromised the personal information of more than 500 individuals. The breach, which occurred earlier this year, involved unauthorized access to the hospital’s network and the copying of sensitive files, according to a notice published on the hospital’s website.

The hospital stated it became aware of suspicious activity in its computer systems and initiated an internal investigation. Findings revealed that an unknown actor had accessed the network between January 17 and February 1, 2024. During that period, files were copied from the system, raising concerns about potential exposure of personal and medical data.

In addition to the breach, the hospital reported a separate technical failure between the evening of February 2 and the afternoon of February 3, when information entered into its electronic medical record system was not saved. Loretto acknowledged that while efforts were made to recover and reconstruct affected patient records, some data may remain incomplete or unrecoverable.

The U.S. Department of Health and Human Services (HHS) confirmed the incident impacted approximately 500 individuals, qualifying it for mandatory reporting under federal regulations. Healthcare organizations must report breaches involving protected health information of 500 or more individuals to HHS’s Office for Civil Rights, which maintains a public record of such incidents.

Loretto Hospital emphasized that it is actively reviewing the affected files to determine the extent of the breach and will notify individuals whose data may have been compromised upon completion of its review. The hospital also assured the public that it is reassessing its cybersecurity policies and exploring additional protective tools to bolster its defenses against future incidents.

This breach adds to a growing list of cyberattacks targeting healthcare systems across the country. Hospitals are increasingly vulnerable due to their reliance on digital infrastructure and the volume of sensitive information they manage, including Social Security numbers, insurance details, and medical histories.

In the wake of the Loretto incident, patients are urged to remain vigilant and monitor their financial and medical accounts for any signs of misuse. Suspicious activity should be promptly reported to insurance providers, healthcare institutions, and financial organizations. Consumers are also reminded that they are entitled to one free credit report annually from each of the three major credit bureaus—Equifax, Experian, and TransUnion—via annualcreditreport.com or by calling 1-877-322-8228.

Individuals with questions regarding the breach can contact the hospital directly at cyber.incident@lorettohospital.org or by mail at 645 South Central Avenue, Chicago, IL 60644, Attn: Information System CIO.