Hospital Sisters Health System (HSHS) rolled out notification letters to 882,000 patients about a 2023 cyberattack that resulted in a data breach incident, compromising patient information.
The affected entity runs a network of physician practices and 15 community hospitals in Illinois and Wisconsin, including two children’s hospitals.
This non-profit healthcare institution stated in its notifications given to those affected that the situation was discovered in August 2023 after determining that the attacker had acquired unauthorised access to the HSHS network.
Following the incident, its organisation’s systems were affected by different outages that took down most of its operating systems and phone systems in Illinois-based and Wisconsin-based hospitals.
HSHS, on the other hand, stated that it employed a third-party security provider to help it investigate the incident, assess the impact, and assist its IT staff in restoring infected systems. Additionally, the affected NGO insisted that patient safety is still its top priority, which is why it hired external service providers to help it with its restoration processes.
However, an extensive health system like this company runs hundreds of system programs over thousands of servers, so its restoration and investigation will take extensive time and effort.
The nature of the cyberattack on HSHS is still unknown.
According to investigations, a ransomware attack could be causing downtime in the HSHS system. However, no ransomware organisation has yet to claim responsibility for the breach.
Following the forensic examination, the non-government organisation revealed that the attackers accessed files on compromised systems between August 16 and August 27, 2023.
The information accessed by threat actors while inside HSHS’ systems varies by individual, but this dataset commonly includes data such as names, addresses, dates of birth, medical record numbers, limited treatment information, health insurance information, Social Security numbers, and driver’s license numbers.
HSHS insisted that there is no evidence that the victims’ information was utilised in malicious activities, such as fraud or identity theft. Still, it advised potentially impacted individuals to watch their credit reports and account statements for unauthorised activity behaviour.
