Illinois Health Agency Reports Phishing Attack Exposing Sensitive Data
In February, the Illinois Department of Healthcare and Family Services (HFS) disclosed a data breach affecting 933 individuals—564 of whom are state residents—after a phishing attack compromised an employee email account. Threat actors gained access by sending malicious emails from a previously hacked government account, enabling the exfiltration of personal data, including names, birthdates, driver’s license and state ID numbers, Social Security numbers, and financial details related to child support or Medicaid.
HFS responded by blocking malicious links, resetting employee passwords, and collaborating with the state Department of Innovation and Technology to contain the breach. While no evidence of misuse has been reported, affected individuals were advised to monitor credit reports and set up fraud alerts.
The incident highlights ongoing cybersecurity risks in government systems, particularly through phishing and supply chain vulnerabilities. Separately, U.S. and Australian authorities have issued warnings about active exploitation of the "MongoBleed" vulnerability in MongoDB, with concerns that advanced persistent threats (APTs) may target critical infrastructure sectors, including energy, water, and transportation.
Source: https://www.scworld.com/brief/illinois-health-data-stolen-in-february-phishing-attack
Illinois Department of Healthcare and Family Services cybersecurity rating report: https://www.rankiteo.com/company/ildhfs
Illinois Department of Healthcare and Family Services cybersecurity rating report: https://www.rankiteo.com/company/ildhfs
"id": "ILDILD1767327524",
"linkid": "ildhfs, ildhfs",
"type": "Breach",
"date": "2/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '933 individuals (564 state '
'residents)',
'industry': 'Healthcare and Social Services',
'location': 'Illinois, USA',
'name': 'Illinois Department of Healthcare and Family '
'Services (HFS)',
'type': 'Government Agency'}],
'attack_vector': 'Phishing',
'customer_advisories': 'Affected individuals notified and advised to monitor '
'credit reports and enable fraud alerts.',
'data_breach': {'data_exfiltration': 'Yes',
'number_of_records_exposed': '933',
'personally_identifiable_information': 'Names, birthdates, '
"driver's license and "
'state ID numbers, '
'Social Security '
'numbers',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Personally Identifiable '
'Information (PII), Financial '
'Information'},
'date_detected': '2024-02',
'description': 'Infiltration of an HFS employee email account via malicious '
'emails sent via another hacked government account allowed '
"threat actors to exfiltrate individuals' data, which may have "
"included names, birthdates, driver's license and state ID "
'numbers, and Social Security numbers, as well as child '
'support- or Medicaid-related financial details. The breach '
'was disclosed more than a year after the February phishing '
'attack.',
'impact': {'brand_reputation_impact': 'Potential reputational damage to '
'Illinois Department of Healthcare and '
'Family Services',
'data_compromised': "Names, birthdates, driver's license and state "
'ID numbers, Social Security numbers, child '
'support- or Medicaid-related financial '
'details',
'identity_theft_risk': 'High',
'payment_information_risk': 'Possible (Medicaid-related financial '
'details)',
'systems_affected': 'Employee email account'},
'initial_access_broker': {'entry_point': 'Hacked government email account'},
'investigation_status': 'Ongoing',
'motivation': 'Data Exfiltration',
'post_incident_analysis': {'corrective_actions': 'Malicious link blocking, '
'password resets, '
'collaboration with state '
'Department of Innovation '
'and Technology',
'root_causes': 'Phishing attack leading to '
'unauthorized access to employee '
'email account'},
'recommendations': 'Impacted individuals urged to track credit reports and '
'enable fraud alerts to avert potential malicious '
'activity.',
'references': [{'source': 'CyberRisk Alliance'}],
'response': {'communication_strategy': 'Data breach notification to affected '
'individuals',
'containment_measures': 'Malicious link blocking, employee '
'password resets',
'incident_response_plan_activated': 'Yes',
'third_party_assistance': 'State Department of Innovation and '
'Technology'},
'title': 'Illinois Health Data Breach via Phishing Attack',
'type': 'Data Breach'}