HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Northwestern Memorial HealthCare and Renown Health Affected by Elekta Cyberattack

Chicago, IL-based Northwestern Memorial HealthCare and Reno, NV-based Renown Health have been affected by a cyberattack on one of their business associates.

The data breach was discovered by Stockholm-based Elekta, which provides a software platform used for clinical radiotherapy treatment for cancer and brain disorders. Elekta issued a statement confirming its first-generation cloud-based storage system was accessed by unauthorized individuals, which affected a subset of customers in North America.

Elekta has been working with law enforcement and third-party cybersecurity experts to determine exactly how the breach occurred and the nature and scope of the attack. Elekta started notifying affected healthcare providers in April 2021.

Elekta’s investigation revealed its systems were compromised between April 2, 2021 and April 20, 2021. During that time the attackers accessed and exfiltrated a copy of a database that contained the information of oncology patients. The breach was confined to Elekta’s systems. The systems of its healthcare provider clients were not accessed at any point.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Northwestern Memorial HealthCare said the database included information such as patient names, dates of birth, Social Security numbers, health insurance information, medical record numbers, and clinical information related to cancer treatment, such as medical histories, physician names, dates of service, treatment plans, diagnoses, and/or prescription information.

Renown Health has reported the breach as affecting 65,181 patients with the data involved including names, Social Security numbers, addresses, dates of birth, diagnoses, medical treatment information, appointment confirmations and other patient metrics such as height and weight.

Northwestern Memorial Healthcare said the database contained the protected health information of 201,197 oncology patients who had received treatment at one of the following hospitals:

  • Northwestern Medicine Central DuPage Hospital
  • Northwestern Medicine Delnor Community Hospital
  • Northwestern Medicine Huntley Hospital
  • Northwestern Medicine Kishwaukee Hospital
  • Northwestern Medicine Lake Forest Hospital
  • Northwestern Medicine McHenry Hospital
  • Northwestern Memorial Hospital
  • Northwestern Medicine Valley West Hospital
  • Northwestern Medicine Valley West Hospital

While data theft was confirmed, Elekta said it has no reason to believe that any patient information has been or will be misused or made public.

Northwestern Memorial Healthcare said individuals whose Social Security number was compromised will be provided with complimentary credit monitoring and identity theft protection services. Renown Health said Eletka is providing complimentary identity monitoring, fraud consultation, and identity theft restoration services.

In total, 42 healthcare systems are believed to have been affected by the breach. In some cases, affected facilities had to temporarily halt cancer procedures and arrange for patients to continue their treatment at alternative healthcare facilities.

Other victims include:

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.