Hospital Sisters Health System: August 2023 Data Breach Affected 883K Individuals
Hospital Sisters Health System (HSHS) in Springfield, IL, and Prevea Health in Green Bay, WI, were affected by a cyberattack in late August which caused an outage on August 27, 2023, that affected their computer systems, phone lines, and websites. The outage lasted for several days, during which time HSHS and Prevea operated under downtime procedures. The attack took its websites and certain applications offline, including the MyChart and MyPrevea applications. HSHS was also unable to process online payments as its computer system was offline, but care continued to be provided to patients.
HSHS decided to suspend collecting payments for outstanding bills while it was recovering from the attack, although some of its partners in Illinois and Wisconsin continued to send bills to patients. In early September, HSHS published an open letter to patients warning them about the potential misuse of their information, as reports had been received from some patients who had been contacted by email, SMS, and phone by an unidentified third party that claimed to be an HSHS representative who was attempting to obtain payment for services. In the letter, HSHS advised patients not to respond to suspicious requests via email, SMS, and phone for payment and to carefully check bills before making any payment. HSHS said if a message or SMS is received, to save it and email it to [email protected] to allow it to be investigated and HSHS and Prevea Health would determine if such a request was legitimate or fraudulent.
HSHS has now confirmed that an unauthorized third party had accessed its systems, which contained the personal and protected health information of patients and HSHS employees. It has been investigating the breach and reviewing the data potentially compromised in the incident. While the open letter suggests that there was attempted misuse of stolen data, HSHS said it is unaware of any cases of fraud or identity theft. On October 26, 2023, notification letters started to be sent to the affected individuals, who have been offered complimentary credit monitoring and identity theft protection services. At the time the cyberattack was announced, HSHS said it would take time to fully investigate the incident, review the affected files, and notify the affected individuals. HSHS said notification letters would be mailed on a rolling basis as the file review progressed.
HSHS said the appropriate authorities have been informed about the breach. The HHS Office for Civil Rights breach portal currently lists the breach as involving the protected health information of 500 individuals – a placeholder figure while the file review is completed. HSHS has since confirmed that the information compromised in the attack included names, addresses, dates of birth, Social Security numbers, driver’s license numbers, medical record numbers, health insurance information, and limited medical and treatment information. HIPAA notification letters started to be mailed on a rolling basis on August 30, 2024, and that process appears to be approaching completion. In the first week of February 2025, legal counsel for HSHS notified the Maine Attorney General that the breach affected 882,782 individuals.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
