Cyber Attack cyber

Hospital Sisters Health System (HSHS)

Aug 16, 2023 3 min read
Hospital Sisters Health System (HSHS)

In August 2023, **Hospital Sisters Health System (HSHS)**, a Midwest-based network of 13 Catholic hospitals, suffered a **targeted cyberattack** compromising the **personally identifiable information (PII) and protected health information (PHI) of 882,782 individuals**. The breach exposed data including **names, addresses, dates of birth, medical record numbers, treatment details, health insurance info, Social Security numbers, and driver’s license numbers** after threat actors gained unauthorized access to HSHS’s network between **August 16–27, 2023**. HSHS agreed to a **$7.6 million settlement**, offering affected individuals up to **$5,000 per valid claim** for out-of-pocket losses, alongside **24 months of free credit/identity monitoring**. The incident led to **class-action litigation** alleging negligence, breach of contract, and unjust enrichment, though HSHS denied liability. The breach underscored systemic vulnerabilities in healthcare cybersecurity, prompting HSHS to commit to **enhanced data security measures**, though specifics were undisclosed. The financial and reputational fallout, combined with regulatory scrutiny, highlights the severe consequences of healthcare data breaches.

Source: https://www.bankinfosecurity.com/hospital-chain-to-pay-76m-to-settle-breach-litigation-a-29623

TPRM report: https://www.rankiteo.com/company/hospital-sisters-health-system

"id": "hos3502435100325",
"linkid": "hospital-sisters-health-system",
"type": "Cyber Attack",
"date": "8/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'customers_affected': 882782,
                        'industry': 'Healthcare',
                        'location': ['Springfield, Illinois',
                                     'Midwest (13 hospitals/community health '
                                     'centers)'],
                        'name': 'Hospital Sisters Health System (HSHS)',
                        'type': ['Hospital Network', 'Healthcare Provider']}],
 'attack_vector': 'Network Intrusion (Unauthorized Access)',
 'customer_advisories': ['Eligible victims can claim up to $5,000 for '
                         'out-of-pocket losses (deadline: November 14, 2024).',
                         '24 months of free credit/identity monitoring '
                         'offered.'],
 'data_breach': {'data_exfiltration': True,
                 'file_types_exposed': ['Patient Records',
                                        'Administrative Files'],
                 'number_of_records_exposed': 882782,
                 'personally_identifiable_information': True,
                 'sensitivity_of_data': 'High (Medical, Financial, '
                                        'Identifiable)',
                 'type_of_data_compromised': ['Personally Identifiable '
                                              'Information (PII)',
                                              'Protected Health Information '
                                              '(PHI)']},
 'date_detected': '2023-08-27',
 'description': 'Hospital Sisters Health System (HSHS), a network of 13 '
                'Catholic hospitals, agreed to pay $7.6 million and improve '
                'data security practices to settle class action litigation '
                'stemming from a 2023 cyberattack that compromised the '
                'personally identifiable information (PII) and protected '
                'health information (PHI) of nearly 900,000 individuals. The '
                'breach occurred between August 16–27, 2023, when an '
                "unauthorized third party accessed HSHS's network. Affected "
                'data included names, addresses, dates of birth, medical '
                'record numbers, treatment details, health insurance info, '
                'Social Security numbers, and driver’s license numbers. HSHS '
                'denied wrongdoing but committed to remedial security measures '
                'and offered credit monitoring to victims.',
 'impact': {'brand_reputation_impact': 'Significant (class action litigation, '
                                       'public settlement)',
            'customer_complaints': ['Class Action Lawsuits',
                                    'Robocall Complaints (unrelated)'],
            'data_compromised': {'total_records': 882782,
                                 'types': ['Names',
                                           'Addresses',
                                           'Dates of Birth',
                                           'Medical Record Numbers',
                                           'Treatment Information',
                                           'Health Insurance Details',
                                           'Social Security Numbers',
                                           'Driver’s License Numbers']},
            'financial_loss': '$7.6 million (settlement cost)',
            'identity_theft_risk': 'High (PII/PHI exposed)',
            'legal_liabilities': ['Class Action Settlement ($7.6M)',
                                  'Ongoing Litigation (Illinois Genetic '
                                  'Information Privacy Act, Robocalls)',
                                  "Attorneys' Fees (~$2.6M, 35% of "
                                  'settlement)'],
            'systems_affected': ['Network Files', 'Patient Databases']},
 'initial_access_broker': {'high_value_targets': ['Patient Databases',
                                                  'PII/PHI Records']},
 'investigation_status': 'Closed (Settlement Reached)',
 'lessons_learned': ['Healthcare industry must tighten cybersecurity standards '
                     'to avoid costly litigation.',
                     'Quick settlements with minimal payouts to victims are a '
                     'common defendant strategy.',
                     'Proactive security improvements (even if unspecified) '
                     'can mitigate future risks.'],
 'post_incident_analysis': {'corrective_actions': ['Remedial Security Measures '
                                                   '(unspecified)',
                                                   'Settlement-Mandated '
                                                   'Improvements'],
                            'root_causes': ['Unspecified Network '
                                            'Vulnerabilities',
                                            'Inadequate Access Controls']},
 'ransomware': {'data_exfiltration': True},
 'recommendations': ['Implement multi-layered security controls (e.g., '
                     'encryption, access monitoring).',
                     'Conduct regular third-party audits of data security '
                     'practices.',
                     'Enhance incident response transparency to rebuild '
                     'trust.'],
 'references': [{'date_accessed': '2024-10-02',
                 'source': 'Information Security Media Group (ISMG)'},
                {'source': 'Chancery Court of Sangamon County, Illinois '
                           '(Settlement Hearing)'},
                {'source': 'Hales Law Group (Legal Analysis)'}],
 'regulatory_compliance': {'legal_actions': ['Class Action Settlement '
                                             '(Chancery Court of Sangamon '
                                             'County, IL)',
                                             'Ongoing Litigation (Illinois '
                                             'Genetic Information Privacy Act, '
                                             'Robocalls)'],
                           'regulatory_notifications': ['Law Enforcement '
                                                        'Notified']},
 'response': {'communication_strategy': ['Breach Notices to Affected '
                                         'Individuals (September 2024)',
                                         'Public Statement (via Information '
                                         'Security Media Group)',
                                         'Settlement Notices (mail, November '
                                         '2024 claim deadline)'],
              'containment_measures': ['Network Access Revoked',
                                       'Immediate Remediation'],
              'enhanced_monitoring': ['24-Month Credit/Identity Monitoring for '
                                      'Victims'],
              'incident_response_plan_activated': True,
              'law_enforcement_notified': True,
              'remediation_measures': ['Enhanced Data Security Policies '
                                       '(unspecified)'],
              'third_party_assistance': ['Forensic Investigators',
                                         'Legal Counsel']},
 'stakeholder_advisories': ['Settlement notices mailed to class members '
                            '(September 2024).',
                            'Final hearing scheduled for December 4, 2024.'],
 'threat_actor': 'Unidentified (Third-Party Hacker)',
 'title': 'Hospital Sisters Health System 2023 Data Breach Settlement',
 'type': ['Data Breach', 'Cyberattack', 'Class Action Litigation']}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.