Hospital Sisters Health System

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

Hospital Sisters Health System (HSHS), a healthcare organization based in Springfield, Illinois, experienced a significant cybersecurity incident in late August 2023. The cyberattack, which began on August 27, caused a system-wide outage affecting HSHS’s computer systems, phone lines, and websites, including the MyChart and MyPrevea applications. The outage lasted several days, and during this time, HSHS and its partner Prevea Health in Green Bay, Wisconsin, operated under downtime procedures to continue providing patient care[1][3].

The attack led to the suspension of online payments and the collection of payments for outstanding bills, although some partners continued to send bills to patients. HSHS published an open letter in early September warning patients about potential misuse of their information, as there were reports of patients being contacted by an unidentified third party claiming to be an HSHS representative and attempting to obtain payment for services. HSHS advised patients to be cautious and to verify the legitimacy of any billing-related communications[1].

HSHS confirmed that an unauthorized third party had accessed systems containing personal and protected health information of patients and employees. While there were attempts to misuse the stolen data, HSHS reported being unaware of any cases of fraud or identity theft resulting from the breach. On October 26, 2023, HSHS began sending notification letters to affected individuals and offered complimentary credit monitoring and identity theft protection services. The breach has been reported to the appropriate authorities, but the total number of individuals affected has not been publicly confirmed[1].

The cyberattack’s impact extended across HSHS’s operations in Illinois and Wisconsin, including hospitals such as St. Mary’s Hospital in Decatur, St. Anthony’s Memorial Hospital in Effingham, Good Shepherd Hospital in Shelbyville, and HSHS St. John’s Hospital in Springfield. The organization worked with law enforcement and third-party experts to investigate the breach and restore services[3][6][7].

HSHS’s privacy policy outlines the rights of individuals to be notified in the event their health information is accessed or disclosed in an unauthorized manner. Individuals also have the right to file a complaint if they believe their privacy rights have been violated[2].

The cyberattack on HSHS is part of a larger trend of increasing cyberattacks on healthcare organizations, which have been identified as high-value targets due to the sensitive nature of the information they handle[3][12].

Citations:

  1. https://www.hipaajournal.com/hospital-sisters-health-system-starts-notifying-individuals-about-august-cyberattack/
  2. https://www.hshs.org/privacy-policy
  3. https://herald-review.com/news/local/business/hospital-sisters-health-system-outage-hacking-cyberattack/article_ca90d564-492c-11ee-ae74-7f7d2fea99c5.html
  4. https://www.ksdk.com/article/news/local/business-journal/hospital-sisters-health-system-cybersecurity-incident-outage-ceo-exits/63-f6611b4f-e038-4694-87f7-4a2597b4a491
  5. https://www.turkestrauss.com/2023/11/08/hospital-sisters-health-system-data-breach-investigation/
  6. https://www.sj-r.com/story/news/healthcare/2023/09/01/hshs-breach-due-to-cybersecurity-incident-system-acknowledges/70744543007/
  7. https://herald-review.com/news/local/business/hospital-sisters-health-system-restores-health-record-access/article_41530996-518a-11ee-9e26-1730193e86e8.html
  8. https://www.beckershospitalreview.com/cybersecurity/hshs-addresses-data-security-breach.html
  9. https://www.hipaajournal.com/hospital-sisters-health-system-email-breach-impacts-16167-patients/
  10. https://www.jdsupra.com/legalnews/hospital-sisters-health-system-confirms-1869699/
  11. https://www.wbay.com/2023/10/27/hshs-prevea-begin-notifying-patients-affected-by-cyberattack/
  12. https://www.effinghamdailynews.com/news/local_news/hospital-sisters-health-system-battles-cybersecurity-incident/article_bf50794a-4bfa-11ee-9e88-d3ca7fc498e9.html
  13. https://www.beckershospitalreview.com/finance/hshs-warns-of-fake-patient-bills-amid-it-incident.html
  14. https://www.databreaches.net/hospital-sisters-health-systems-cfo-exits-as-it-continues-to-handle-cybersecurity-incident/
  15. https://www.nprillinois.org/health-harvest/2023-09-02/hshs-says-system-outage-caused-by-cyberattack
  16. https://herald-review.com/news/local/business/health-care/hospital-sisters-health-system-hshs-computer-failure-hacked/article_7dfee296-481d-11ee-82f3-af1e0a66fd7d.html
Breach Submission Date Oct 26, 2023
Converted Entity Name Hospital Sisters Health System
Converted Entity Type Business Associate
State IL
Individuals Affected 500
Breach Type Hacking/IT Incident

Breach Information Location Network Server

Business Associate Present Yes