Lake County Health Department and Community Health Center
Your Personal Info Could Be
Exposed Online After
This Hospital Breach
Breach Description
In March 2023, the Lake County Health Department and Community Health Center (LCHD/CHC) in Illinois experienced a significant data breach. An unauthorized third party, referred to as a Threat Actor, gained access to an employee’s email account on March 6, 2023. This compromised email account contained partially de-identified information about Lake County residents who may have had a reportable communicable disease or were part of a disease cluster or outbreak investigated by the health department from April 23, 2012, to March 6, 2023[1][3].
The types of information that may have been exposed in this breach include names, addresses, zip codes, dates of birth, genders, phone numbers, email addresses, medical record numbers, diagnoses or conditions, lab results, and other treatment information used by the Communicable Disease outreach program. Importantly, Social Security numbers and financial information were not included in the compromised data[1][3].
Upon discovering the breach, Lake County promptly secured the affected account and collaborated with Microsoft to investigate the unauthorized activity. Additionally, on March 9, 2023, a third-party vendor was engaged to perform a forensic analysis of the initial penetration and the unauthorized activities of the Threat Actor. While no evidence of unauthorized data transfer was found, the possibility could not be entirely ruled out[1][3].
In response to this incident, the Lake County Health Department has taken steps to enhance its cybersecurity measures. This includes implementing additional safeguards and conducting cyber security training to prevent similar breaches in the future. The health department has also provided a contact for those affected or concerned about the breach, encouraging them to reach out to the Lake County Health Department Privacy Officer for more information[1][3].
This breach was reported to the U.S. Department of Health and Human Services Office for Civil Rights, indicating that it affected approximately 5,000 individuals[2]. It underscores the ongoing challenges and importance of cybersecurity within the healthcare sector, particularly in protecting sensitive health information from unauthorized access.
Citations:
- https://content.govdelivery.com/accounts/ILLAKE/bulletins/358e5c3
- https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
- https://www.lakemchenryscanner.com/2023/05/12/lake-county-health-department-reports-security-breach-that-exposed-residents-health-data-personal-information/
- https://www.lakecountyil.gov/CivicAlerts.asp?AID=2848&ARC=5419
- https://content.govdelivery.com/accounts/ILLAKE/bulletins/380d1ff
- https://www.lakecountyil.gov/4127/Notice-of-Privacy-Practices
- https://www.lakecountyil.gov/2576/Medical-Records
- https://healthitsecurity.com/topic/healthcare-cyber-security/P540
- https://www.lakemchenryscanner.com/2023/12/21/health-department-experiences-security-breach-involving-lake-county-residents-personal-information/
- https://www.idstrong.com/sentinel/112k-records-stolen-from-population-healthec/
- https://healthitsecurity.com/news/illinois-health-department-data-breaches-impact-over-24k-patients
- https://www.hipaajournal.com/hipaa-breaches/
- https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf?ref=blog.gitguardian.com
- https://www.governmentjobs.com/careers/lakecountyil/health
- https://www.hipaajournal.com/lake-county-health-department-notifies-25000-patients-about-two-data-breaches/