Hospital Sisters Health System reports almost 2 year old data breach exposing 880K patients

Hospital Sisters Health System (HSHS), a non-profit healthcare organization operating 15 hospitals across Illinois and Wisconsin, is reporting a data breach affecting 882,000 patients. The organization discovered the security incident on August 27, 2023, after detecting unauthorized access to their network.

The breach occurred between August 16 and August 27, 2023 and resulted in a widespread system outage affecting virtually all operating systems and phone systems across HSHS facilities in Illinois and Wisconsin. In response, HSHS engaged external security experts to investigate the incident, assess its impact, and assist their IT team in restoring affected systems. The organization emphasized that system restoration would take considerable time due to the complexity of their infrastructure, which operates hundreds of applications across thousands of servers.

The compromised information includes

• Names
• Addresses
• Dates of birth
• Medical record numbers
• Limited treatment information
• Health insurance information
• Social Security numbers
• Driver's license numbers

The nature of the attack is not disclosed. Although the incident and resulting outage indicate a ransomware attack, no ransomware operation has claimed responsibility for the breach. It's unclear why the organization waited almost 2 years before reporting the incident.

HSHS are offering affected individuals one year of free Equifax credit monitoring and advising them to monitor their account statements and credit reports for suspicious activity.