Cyber Attack cyber

Hospital Sisters Health System (HSHS)

Aug 1, 2023 2 min read
Hospital Sisters Health System (HSHS)

In August 2023, Hospital Sisters Health System (HSHS) suffered a **targeted cyberattack** that compromised the **personally identifiable information (PII) and protected health information (PHI)** of patients. The breach exposed sensitive data, leading to potential identity theft, fraud, and financial losses for affected individuals. HSHS agreed to a **$7.6 million class-action settlement**, offering victims up to **$5,000 in reimbursement** for documented losses (e.g., credit monitoring, ID replacement, fraud-related expenses) or a **pro rata cash payment**. Additionally, all class members were eligible for **two years of credit monitoring and $1 million in fraud insurance**. The incident stemmed from HSHS’s alleged failure to adequately secure its systems, though the organization denied wrongdoing. The settlement covers administrative costs, legal fees, and direct payouts to victims, with claims processed until **November 14, 2025**.

Source: https://www.claimdepot.com/settlements/hshs-data-settlement

TPRM report: https://www.rankiteo.com/company/hospital-sisters-health-system

"id": "hos5292352092625",
"linkid": "hospital-sisters-health-system",
"type": "Cyber Attack",
"date": "8/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"
{'affected_entities': [{'customers_affected': 'All individuals whose PII/PHI '
                                              'was compromised between August '
                                              '16–27, 2023 (exact number not '
                                              'specified)',
                        'industry': 'Healthcare',
                        'name': 'Hospital Sisters Health System (HSHS)',
                        'type': 'Healthcare System'}],
 'customer_advisories': 'Claim deadline: November 14, 2025. Options include '
                        'documented loss reimbursement (up to $5,000), pro '
                        'rata cash payment, or two years of credit monitoring. '
                        'Payouts via PayPal, Venmo, Zelle, or paper check.',
 'data_breach': {'data_exfiltration': 'Likely (data was compromised and '
                                      'sold/used for fraud)',
                 'personally_identifiable_information': ['Names',
                                                         'Credit/financial '
                                                         'data',
                                                         'Health records',
                                                         'IDs (e.g., driver’s '
                                                         'licenses, Social '
                                                         'Security numbers)'],
                 'sensitivity_of_data': 'High (includes health and '
                                        'identity-related data)',
                 'type_of_data_compromised': ['Personally Identifiable '
                                              'Information (PII)',
                                              'Personal Health Information '
                                              '(PHI)']},
 'date_detected': '2023-08-16',
 'description': 'A targeted cyberattack on Hospital Sisters Health System '
                '(HSHS) in August 2023 compromised personally identifiable '
                'information (PII) and personal health information (PHI) of '
                'consumers. The breach led to a $7.6 million class action '
                'settlement, offering affected individuals up to $5,000 in '
                'reimbursement for documented losses or a pro rata cash '
                'payment, along with two years of credit monitoring services.',
 'impact': {'brand_reputation_impact': 'Class action lawsuit and settlement '
                                       'indicate reputational damage',
            'data_compromised': ['Personally Identifiable Information (PII)',
                                 'Personal Health Information (PHI)'],
            'financial_loss': {'credit_monitoring_cost': 'Two years of CyEx '
                                                         'Financial Shield '
                                                         '(includes $1M fraud '
                                                         'insurance)',
                               'individual_claim_limit': 'Up to $5,000 '
                                                         '(documented losses)',
                               'pro_rata_payment': 'Remaining funds after '
                                                   "deductions (attorneys' "
                                                   'fees, administration '
                                                   'costs, etc.)',
                               'settlement_fund': '$7.6 million'},
            'identity_theft_risk': 'Documented cases of identity theft or '
                                   'fraud reported by affected individuals',
            'legal_liabilities': '$7.6 million settlement fund (including '
                                 "attorneys' fees, administration costs, and "
                                 'class member payments)',
            'systems_affected': ['Network systems']},
 'initial_access_broker': {'data_sold_on_dark_web': 'Implied (fraud/identity '
                                                    'theft reported by '
                                                    'victims)',
                           'high_value_targets': ['PII', 'PHI']},
 'investigation_status': 'Settled (class action lawsuit resolved; no admission '
                         'of wrongdoing by HSHS)',
 'post_incident_analysis': {'root_causes': 'Alleged failure to adequately '
                                           'protect sensitive information (per '
                                           'lawsuit)'},
 'references': [{'source': 'Class Action Settlement Notice'},
                {'source': 'Settlement Administrator Contact'}],
 'regulatory_compliance': {'legal_actions': 'Class action lawsuit settled for '
                                            '$7.6 million'},
 'response': {'communication_strategy': 'Notices sent to affected individuals '
                                        'via postcard/email with unique ID/PIN '
                                        'for claims. Settlement administrator '
                                        'established for claims processing.'},
 'stakeholder_advisories': 'Notices sent to affected individuals with claim '
                           'instructions (ID/PIN provided). Settlement '
                           'administrator available via email '
                           '([email protected]) and phone '
                           '(844-496-1105).',
 'title': 'Hospital Sisters Health System Data Breach (August 2023)',
 'type': ['Data Breach', 'Cyberattack']}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.