182,670 patients affected by Illinois Bone & Joint Institute breach

Illinois Bone & Joint Institute (IBJI) recently disclosed that a network security breach exposed the protected health information (PHI) of 182,670 individuals.

What happened  

On July 4, 2024, IBJI detected suspicious activity within its systems, resulting in an investigation involving law enforcement and third-party security experts. The investigation revealed that the unauthorized party accessed the system between May 30 and July 4, 2024. 

The compromised data includes names, addresses, dates of birth, Social Security numbers, medical treatment details, diagnosis information, and health insurance or claims data. 

Although information about the attackers and their methods has not yet been disclosed, IBJI started sending notification letters to affected individuals on August 30, 2024.

What was said  

The IBJI notice of a data incident stated, “On July 4, 2024, IBJI detected unauthorized access to certain computer systems on the IBJI network. IBJI immediately initiated an investigation, retained cybersecurity experts, and notified law enforcement.” 

The notice further explained, “The investigation determined that an unauthorized third party accessed the IBJI network between May 30, 2024, and July 4, 2024, and acquired certain files during this period. To date, IBJI is not aware of any such data being misused.”

IBJI’s notice also addressed the steps taken to notify affected individuals: “IBJI is now sending written notifications to individuals whose personal information or protected health information may have been involved in the incident, and for whom IBJI has current contact information.” 

Furthermore, the institute offers complimentary identity theft protection services for those whose Social Security numbers were potentially involved and advises individuals to remain vigilant against potential fraud or identity theft.

Why it matters

Data breaches like this show the vulnerability of sensitive healthcare information, especially when entities manage thousands of patients’ PHI within their electronic health records (EHR).

The big picture  

Healthcare organizations must continually improve their cybersecurity measures to prevent network breaches, which can have long-lasting implications for patients. Individuals who receive a breach notification from IBJI must monitor their accounts and report suspicious activity. 

FAQs

What is a data breach?

A breach occurs when an unauthorized party gains access to, uses, or discloses protected health information (PHI) without permission. Examples of breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.

What should individuals do if their data has been compromised?

If individuals suspect their data has been compromised, they must monitor their accounts for suspicious activity and report any unauthorized transactions immediately.

Are there any costs associated with placing a fraud alert or credit freeze?

No, under U.S. law, consumers are entitled to a free credit report annually from each of the three major credit reporting bureaus, Equifax, Experian, and TransUnion. So, placing a fraud alert or credit freeze does not incur any costs.