Illinois Bone & Joint Institute (IBJI) recently disclosed that a network security breach exposed the protected health information (PHI) of 182,670 individuals.
On July 4, 2024, IBJI detected suspicious activity within its systems, resulting in an investigation involving law enforcement and third-party security experts. The investigation revealed that the unauthorized party accessed the system between May 30 and July 4, 2024.
The compromised data includes names, addresses, dates of birth, Social Security numbers, medical treatment details, diagnosis information, and health insurance or claims data.
Although information about the attackers and their methods has not yet been disclosed, IBJI started sending notification letters to affected individuals on August 30, 2024.
The IBJI notice of a data incident stated, “On July 4, 2024, IBJI detected unauthorized access to certain computer systems on the IBJI network. IBJI immediately initiated an investigation, retained cybersecurity experts, and notified law enforcement.”
The notice further explained, “The investigation determined that an unauthorized third party accessed the IBJI network between May 30, 2024, and July 4, 2024, and acquired certain files during this period. To date, IBJI is not aware of any such data being misused.”
IBJI’s notice also addressed the steps taken to notify affected individuals: “IBJI is now sending written notifications to individuals whose personal information or protected health information may have been involved in the incident, and for whom IBJI has current contact information.”
Furthermore, the institute offers complimentary identity theft protection services for those whose Social Security numbers were potentially involved and advises individuals to remain vigilant against potential fraud or identity theft.
Data breaches like this show the vulnerability of sensitive healthcare information, especially when entities manage thousands of patients’ PHI within their electronic health records (EHR).
Healthcare organizations must continually improve their cybersecurity measures to prevent network breaches, which can have long-lasting implications for patients. Individuals who receive a breach notification from IBJI must monitor their accounts and report suspicious activity.
A breach occurs when an unauthorized party gains access to, uses, or discloses protected health information (PHI) without permission. Examples of breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.
If individuals suspect their data has been compromised, they must monitor their accounts for suspicious activity and report any unauthorized transactions immediately.
No, under U.S. law, consumers are entitled to a free credit report annually from each of the three major credit reporting bureaus, Equifax, Experian, and TransUnion. So, placing a fraud alert or credit freeze does not incur any costs.