Loretto Hospital Confirms Patient Data Involved in January Hacking Incident
Loretto Hospital in Chicago has confirmed that patient data was exposed in a January hacking incident. Data breaches have also been announced by Family Centers Inc. in Connecticut and Maryhaven in Ohio.
Loretto Hospital, Illinois
Loretto Hospital in Chicago, Illinois, has warned patients about a recent hacking and data theft incident. It is unclear from the breach notice exactly when the incident was detected; however, the forensic investigation confirmed that there was unauthorized access to its network between January 17 and February 1, 2025, during which time files were copied from its network.
Further, Loretto Hospital determined that from the evening of February 2, 2025, through the afternoon of February 4, 2025, patient information was entered into its electronic medical record system that was not saved. Efforts were made to recover that data, but some records may not have been recovered or fully recreated. It is currently unclear how many individuals have been affected as the file review has not yet concluded. In the interim, the breach has been reported to the HHS’ Office for Civil Rights using a placeholder figure of at least 501 affected individuals. The exact types of information involved will be communicated in the individual notification letters. In the meantime, patients have been advised to monitor their financial accounts and statements for any signs of misuse of their data.
Family Centers, Inc., Connecticut
Family Centers Inc., a provider of health and human services to adults and children in Connecticut, has announced a security incident involving unauthorized access to the protected health information of certain individuals. Suspicious activity was identified on January 30, 2025, and on February 6, 2025, it was confirmed that personal information had been accessed without authorization. The review of the affected information is ongoing; however, an early notification was added to its website while the file review is completed. The information involved has yet to be confirmed, but it is likely to include names, driver’s license numbers, Social Security numbers, birth dates, health insurance information, and medical information. At present, no instances of data misuse have been detected.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The breach has been reported to the HHS’ Office for Civil Rights using a placeholder figure of 501 individuals. The total will be updated when the file review is concluded. Family Centers said it will send notification letters to the affected individuals as soon as possible and has confirmed that steps have already been taken to harden security to prevent similar incidents in the future.
Maryhaven, Ohio
Maryhaven, a Columbus, Ohio-based nonprofit rehabilitation center offering treatment for drug, alcohol & gambling addictions, has recently started notifying individuals about a hacking incident first identified on June 1, 2024. Independent forensics specialists were engaged to investigate the unauthorized activity, and it was confirmed that an unauthorized actor had access to its systems between May 30, 2024, and June 1, 2024, and may have exfiltrated files containing sensitive data.
The file review concluded on February 12, 2025, when it was confirmed that personally identifiable information and protected health information were stolen in the incident. The types of data vary from individual to individual and may include first and last names, addresses, phone numbers, email addresses, dates of birth, medical diagnoses, conditions, driver’s license numbers, Social Security numbers, and health insurance information. Notification letters are being issued on a rolling basis. Individuals who had their Social Security numbers stolen are being offered 12 months of complimentary credit monitoring and identity theft protection services.
