Illinois, Florida, and Puerto Rico Healthcare Providers Confirm Data Breaches
Investigations of cyberattacks at healthcare providers in Illinois, Florida, and Puerto Rico are continuing, with announcements made that data breaches have occurred, although at this stage it is unclear how many individuals have been affected.
Roseland Community Hospital, Illinois
The Roseland Community Hospital Association in Illinois has confirmed that it has fallen victim to a cyberattack that exposed the protected health information of patients of Roseland Community Hospital in Chicago. The cyberattack was detected on June 2, 2024, and steps were immediately taken to secure its systems to block further unauthorized access. Third-party cybersecurity experts were engaged to assist with the investigation and confirmed that there had been unauthorized access to its IT network on June 2 and files were accessed or obtained by the threat actor.
The file review confirmed that the data elements compromised in the incident include names, in combination with one or more of the following: date of birth, address, medical record number, patient account number, health insurance information, diagnosis, and/or treatment information. Notification letters started to be mailed to the affected individuals on August 1, 2024. The incident has been reported to the HHS’ Office for Civil Rights as affecting at least 500 individuals. The total will be updated when the file review has been completed.
Hospital Auxilio Mutuo, Puerto Rico
On July 13, 2024, Hospital Auxilio Mutuo in Puerto Rico notified the HHS’ Office for Civil Rights about a network server-related data breach. The incident occurred in September 2023, but the investigation and document review do not appear to have been completed, as the OCR breach report indicates 500 individuals have been affected. 500 is a commonly used placeholder when the number of affected individuals has yet to be determined
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
According to a statement released by the hospital, “We have concluded that a limited amount of personal information may have been removed from our network in connection with the incident, including full names and one or more of the following: medical records, diagnostic information, and other data related to patient care.” The hospital has not uncovered evidence of data exfiltration or misuse.
Update April 2025: Data exfiltration has been confirmed, although it is still unclear how many individuals have been affected. Further information can be found in this post.
PRM Management Company, Florida
Florida-based PRM Management Company, which does business as Pelvic Rehabilitation Medicine, is investigating a breach of its email environment. Suspicious activity was detected in an employee email account in June 2024, prompting a forensic investigation to identify the nature and scope of the activity. The investigation confirmed that there had been unauthorized access to a single email account between January 30, 2024, and June 5, 2024 and that the email account contained patients’ protected health information.
PRM Management Company is currently reviewing the contents of the account to determine the number of individuals affected and the types of data involved. Notification letters will be mailed when that process has been completed. If Social Security numbers have been compromised, the affected individuals will be offered complimentary credit monitoring and identity theft protection services. PRM Management Company said it has changed all email passwords and will be reinforcing multifactor authentication. The incident has been reported to the HHS’ Office for Civil Rights with an interim figure of 500 affected individuals.
