The protected health information (PHI) of nearly 150,000 residents of Illinois may have been exposed in data breaches at two separate healthcare organizations.
South Shore Hospital (SSH) in Chicago and the Family Christian Health Center (FCHC) in Harvey, Illinois, have begun notifying Illinoisans that the security of their data may have been compromised.
SSH became aware of suspicious activity on its network on December 10 2021. The hospital hired a third-party digital forensics firm to investigate the activity and activated its emergency cybersecurity protocols.
The investigation determined that data belonging to some current and former hospital patients and employees may have been accessed by an unauthorized third-party. Data that may have been exposed in the attack included names, addresses, birth dates, Social Security numbers, health insurance information, diagnoses, Medicare and Medicaid information and financial information.
SSH has not revealed the exact nature of the incident or stated whether any files had been exfiltrated during the attack.
The hospital reported the breach as a hacking incident impacted nearly 116,000 individuals. SSH is offering all impacted individuals free identity theft protection services.
“To help reduce the risk of something like this happening again, we are implementing additional security controls to protect our network,” said SSH in a data security notice.
“These steps include enforcing stronger password requirements, enabling multi-factor authentication and additional data privacy and security awareness training for SSH’s workforce.”
The healthcare organization said that it had also deployed supplementary anti-malware and email phishing tools and “will continue to evaluate our security protocols for opportunities to further bolster our network security.”
Data in the care of FCHC was compromised during a ransomware attack that began around November 18 2021 but wasn’t discovered until November 30 2021. The incident impacted 31,000 patients.
Information compromised in the attack included dental patients’ names, dates of birth, addresses, insurance cards and driver’s licenses. Exposed data belonging to other patients included names, dates of birth, addresses, insurance identification numbers and Social Security numbers.
FCHC said in a statement that it “has already taken steps to enhance its technical safeguards to help minimize the occurrence of future cyber-attacks.”