The breach caused a massive outage, impacting 15 hospitals across Wisconsin and Illinois.
What happened
Hospital Sisters Health System (HSHS) was first impacted by a massive data breach in August, 2023, but last week they confirmed that 882,782 individuals were affected by the incident.
The outage began on August 27th, 2023, and devastated the majority of HSHS’ internal systems, including communications and internet systems, phones, internal applications, the MyChart and MyPrevea applications, online payments, and HSHS’ website.
The outage lasted for several days and impacted 15 hospitals across Wisconsin and Illinois. The breach also forced Prevea Health clinics to implement downtime procedures. Prevea Health was, however, able to continue caring for patients.
Going deeper
After the breach, HSHS quickly launched an investigation into the attack and determined that hackers had accessed the network between August 16th and August 27th, 2023.
HSHS believes compromised information may have included names, addresses, dates of birth, Social Security numbers, driver’s license numbers, medical record numbers, treatment information, and health insurance information.
In October of 2023, the HSHS began notifying impacted individuals, but even a year later they did not yet have full information on the number of people impacted.
In September of 2024, HSHS posted online that they had become aware that some patients were being targeted in fraud schemes. In these cases, malicious actors impersonated HSHS representatives in an attempt to receive private information from patients.
Now that HSHS has finally confirmed the number of impacted individuals, we’ll likely see if and how patients may respond. HSHS is also providing impacted individuals with free identity theft protection and credit monitoring services.
Why it matters
Data incidents like this show the extensive amount of time it can take for full details of a data breach to become available, even to those who were impacted. While breaches are always complicated, for large networks like HSHS, investigators likely have to sort through extensive amounts of data.
Even if HSHS handled the incident with the utmost integrity, they could still find themselves vulnerable to a class action lawsuit, especially if impacted individuals have become the victim of fraud or identity theft as a result.
Related: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
