Cybersecurity News

IL Social Services Organization Notifies 184K of Healthcare Ransomware Attack

The January 2022 ransomware attack potentially involved the protected health information (PHI) of more than 184,000 individuals.

IL Social Services Organization Notifies 184K of Healthcare Ransomware Attack

Source: Getty Images

By Jill McKeon

- Lutheran Social Services of Illinois (LSSI) notified more than 184,000 individuals of a healthcare data breach recently, according to a breach notice provided to the Maine Attorney General’s Office. On January 27, 2022, LSSI discovered that it had fallen victim to a ransomware attack.

Despite discovering the incident in January, LSSI did not complete its data review until December 28, 2022. By that time, the social services provider had determined that the unauthorized party accessed files containing certain sensitive information that was maintained on the impacted systems.

The affected data included names, Social Security numbers, dates of birth, financial information, biometric information, driver’s license numbers, health insurance information, and medical diagnosis and treatment information.

“LSSI has no evidence that information involved in this incident has been used for identity theft or financial fraud, and we have taken all available measures to protect individual information since discovering the incident,” LSSI said. “We have reviewed and revised our information security practices, and bolstered our existing security to reduce the chance of a future incident.”

Quality Behavioral Health Suffers Breach

Quality Behavioral Health (QBH) in Washington State notified 3,500 individuals of a healthcare data breach. QBH discovered the cyber incident on November 26, 2022 and immediately took steps to secure its systems and launch an investigation.

“While the investigation has not determined that information was viewed or copied from the system during the cyber incident, which occurred between November 24 and November 26, 2022, we were unable to conclusively rule out such activity,” QBH noted.

The information on the system at the time of the incident included names, demographic information, contact information, financial account information, Social Security and driver’s license numbers, health insurance policy numbers, and medical treatment information.

QBH did not provide further details about the nature of the breach beyond calling it a “cyber incident.”

The practice encouraged impacted individuals to remain vigilant against instances of fraud and identity theft.