NMH Reports Data Breach Affecting Sensitive Personal and Health Information
Northwestern Memorial HealthCare (NMH) disclosed a data breach in which unauthorized access to sensitive personal identifiable information (PII) and protected health information (PHI) may have occurred. The incident was first detected on or around May 13, 2025, prompting an internal investigation.
NMH confirmed that an unauthorized third party accessed its network between March 19 and May 20, 2025, potentially exposing a range of personal and medical data. The compromised information varies by individual but may include:
- Full names
- Social Security numbers
- Addresses
- Dates of birth
- Medical records
- Health insurance details
Following the investigation, NMH published a breach notice on its website and began mailing notification letters to affected individuals. For California residents, the notices include a breakdown of the exposed data and offer complimentary credit monitoring services. The breach highlights ongoing risks to healthcare data security and the potential for long-term identity theft risks for those impacted.
Source: https://straussborrelli.com/2026/03/09/northwest-medical-homes-data-breach-investigation/
Northwestern Medicine cybersecurity rating report: https://www.rankiteo.com/company/northwestern-medicine
"id": "NOR1773081145",
"linkid": "northwestern-medicine",
"type": "Breach",
"date": "3/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Unknown (individuals notified '
'via mail)',
'industry': 'Healthcare',
'location': 'United States',
'name': 'Northwestern Memorial HealthCare (NMH)',
'type': 'Healthcare Provider'}],
'attack_vector': 'Unauthorized Network Access',
'customer_advisories': 'Complimentary credit monitoring services offered to '
'California residents',
'data_breach': {'personally_identifiable_information': ['Full names',
'Social Security '
'numbers',
'Addresses',
'Dates of birth',
'Medical records',
'Health insurance '
'details'],
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personal Identifiable '
'Information (PII)',
'Protected Health Information '
'(PHI)']},
'date_detected': '2025-05-13',
'date_publicly_disclosed': '2025-05-20',
'description': 'Northwestern Memorial HealthCare (NMH) disclosed a data '
'breach in which unauthorized access to sensitive personal '
'identifiable information (PII) and protected health '
'information (PHI) may have occurred. The incident was '
'detected on or around May 13, 2025, prompting an internal '
'investigation. An unauthorized third party accessed its '
'network between March 19 and May 20, 2025, potentially '
'exposing personal and medical data.',
'impact': {'brand_reputation_impact': 'Potential long-term identity theft '
'risks',
'data_compromised': 'Sensitive personal identifiable information '
'(PII) and protected health information (PHI)',
'identity_theft_risk': 'High',
'systems_affected': 'NMH Network'},
'investigation_status': 'Completed',
'references': [{'source': 'NMH Breach Notice'}],
'regulatory_compliance': {'regulations_violated': ['HIPAA']},
'response': {'communication_strategy': 'Breach notice published on website '
'and notification letters mailed to '
'affected individuals',
'incident_response_plan_activated': 'Yes'},
'threat_actor': 'Unauthorized Third Party',
'title': 'NMH Data Breach Affecting Sensitive Personal and Health Information',
'type': 'Data Breach'}