25% off all training courses Offer ends June 26, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends June 26, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Harrisburg Medical Center Data Breach: PHI of 148,000 Individuals Compromised in 2022

Posted By on Dec 14, 2023

Harrisburg Medical Center, which is part of the Southern Illinois Healthcare network, has recently started notifying 147,826 individuals that some of their personal and protected health information has been compromised. Notification letters about the Harrisburg Medical Center data breach started to be sent to the affected individuals on December 12, 2023; however, the cyberattack was detected a year previously on December 23, 2022.

According to the notification letter sent to the Maine Attorney General, Harrisburg Medical Center discovered and blocked the attack on December 23, 2022, and a third-party cybersecurity firm was engaged to conduct a forensic investigation to determine the nature and extent of the attack. The investigation confirmed that protected health information had been exposed between December 19, 2022, and December 23, 2023, and during that time, files were removed from its systems.

Harrisburg Medical Center said it conducted a review of the documents involved and confirmed on August 24, 2023 – 8 months after the attack was detected – that the files contained names and Social Security numbers, along with some or all of the following information: date of birth, diagnosis/conditions, lab results, and prescription information. Some individuals may also have had their health insurance information, driver’s license/state ID number, digital/electronic signature, and/or financial account number exposed or stolen. No explanation was given about why it took a further four months to issue individual notifications to the affected individuals.

Despite the data breach occurring in December 2022 and PHI being confirmed as involved on August 24, 2023, the incident is still not showing on the HHS’ Office for Civil Rights breach portal. The HIPAA Breach Notification Rule states that breaches must be reported within 60 months of discovery of the breach.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Unsurprisingly, given the length of time taken to notify the affected individuals and the lack of transparency, patients have been looking to take legal action over the breach and theft of their data. Several law firms have opened investigations with a view to filing class action lawsuits.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist