Hospital Sisters Health System says cyber attack impacted over 880,000 patients

Springfield, Illinois-based healthcare provider, Hospital Sisters Health System, said that the data security incident it suffered in 2023 compromised the sensitive personal information of more than 880,000 individuals.

 

Established in 1875, HSHS operates a network of physician practices and 15 local hospitals across Illinois and Wisconsin, including two children’s hospitals.

 

In a data security incident notice, HSHS said that on August 27, 2023, it identified unauthorised access to its internal network. The healthcare provider immediately launched an investigation, with assistance from external cyber security experts, to determine the nature and scope of the incident.

 

“The forensic investigation determined that the unauthorised third party accessed certain files on our network between August 16 and August 27, 2023,” reads the notice.

 

The compromised data included names, Social Security numbers, addresses, dates of birth, driver’s license numbers, medical record numbers, limited treatment information, and health insurance information. In a filing with the Maine state regulator, HSHS said that it has identified 882,782 individuals who were impacted by the incident.

 

“We have taken steps to reduce the risk of this type of incident from occurring in the future, including enhancing our technical security measures,” HSHS added.

 

While the healthcare provider found no evidence of the compromise data being misused, it has advised all affected individuals to regularly monitor their credit reports, account and benefit statements and report any suspicious activity to law enforcement authorities, including the police and the state attorney general.

 

It has also offered one year of complimentary identity protection and credit monitoring services through Equifax Credit Watch Gold to all affected individuals.

 

It is not clear why the healthcare provider took a year and a half to file its incident report with state Attorney Generals. HSHS is also yet to share details on the perpetrator of the cyber attack or whether it received a ransom demand.