Illinois Hospital, FQHC Suffer Healthcare Data Breaches, PHI Exposure

February 16, 2022 - This week, two Illinois healthcare organizations began notifying patients of separate healthcare data breaches that caused protected health information (PHI) exposure.

South Shore Hospital in Chicago faced an unspecified hacking incident, and Harvey, Illinois-based Family Christian Health Center informed patients of a ransomware attack. Collectively, the two incidents impacted nearly 200,000 individuals.

Healthcare data breaches across the country have become nearly daily occurrences as threat actors continue to sharpen their tactics.

Chicago Hospital Faces Hacking Incident, 116K Impacted

South Shore Hospital (SSH) in Chicago, Illinois, began notifying nearly 116,000 individuals of a data security incident that may have led to PHI exposure. The incident impacted a select number of current and former patients and employees.

SSH discovered suspicious network activity on December 10, 2021. The hospital immediately activated its emergency protocols and engaged with a third-party forensics firm.

It is unclear whether threat actors exfiltrated files or if ransomware was involved. The impacted files contained names, birth dates, Social Security numbers, health insurance information, diagnoses, Medicare and Medicaid information, financial information, and addresses.

“To help reduce the risk of something like this happening again, we are implementing additional security controls to protect our network,” the hospital’s website notice explained.

“These steps include enforcing stronger password requirements, enabling multifactor authentication, and additional data privacy and security awareness training for SSH’s workforce.  We have also deployed supplementary anti-malware and email phishing tools and will continue to evaluate our security protocols for opportunities to further bolster our network security.”

SSH is offering complimentary identity theft protection services to all impacted individuals.

Ransomware Attack Hits Illinois FQHC

Harvey, Illinois-based Family Christian Health Center (FCHC), a Federally Qualified Health Center (FQHC), suffered a ransomware attack that impacted 31,000 individuals. FCHC first discovered the ransomware attack on November 30, 2021, a notice on its website explained.

“Family Christian Health Center (FCHC) is committed to protecting the information that it maintains on behalf of its patients,” the notice began. 

“Over the last two years, despite the unprecedented demands of the COVID-19 pandemic, FCHC has been working hard to strengthen its computer systems and the security of its network, as well as providing additional employee training on privacy and security to address the evolving nature of cyber threats to the healthcare industry.”

Despite its best efforts, FCHC fell victim to a ransomware attack that began around November 18 and potentially exposed patient information. The type of information varied depending on whether the patient was a dental or non-dental patient or whether they visited the Health Resources and Services Administration (HRSA) site.

Some dental patients who received services at FCHC before August 31, 2020, faced PHI exposure, including names, insurance card numbers, birth dates, and addresses, as well as copies of insurance cards and driver’s licenses.

Select patients who received non-dental services at FCHC between December 5, 2016, and August 31, 2020, and checked in via FCHC’s electronic system may have also faced PHI exposure due to the ransomware attack. The ransomware attack exposed Social Security numbers, names, birth dates, addresses, and insurance identification numbers.

It is important to note that some patients who received both dental and non-dental services may have had their information exposed through one or both avenues.

In addition, approximately 20 patients who visited the HRSA site faced PHI exposure in connection with a compromised PDF. The PDF contained clinical information from one office visit in 2021, along with names, birth dates, date of visit, and patient ID numbers.

“After the attack was discovered, FCHC staff and its outside information technology vendors worked diligently to investigate the event and evaluate FCHC’s network security,” the notice stated. 

“FCHC has also hired a forensics consultant to further analyze how the breach occurred and suggest any additional security measures.  FCHC has already taken steps to enhance its technical safeguards to help minimize the occurrence of future [cyberattacks].”