Saint Anthony Hospital, an independent nonprofit hospital in Chicago, experienced a data breach in February 2025 when unauthorized access to employee email accounts exposed sensitive personally identifiable information (PII) and protected health information (PHI) of 6,679 patients and employees. The compromised data included full names, addresses, dates of birth, Social Security numbers, telephone numbers, dates of service, and medical records. The breach was discovered on February 6, 2025, but was only disclosed to the U.S. Department of Health and Human Services (HHS) in September 2025, indicating a prolonged exposure period. The hospital engaged third-party cybersecurity experts and notified law enforcement, but the delay in public disclosure raises concerns about response efficiency. Affected individuals face risks of identity theft, financial fraud, and medical fraud, with potential long-term consequences. A class-action lawsuit is underway, offering compensation for victims. The incident underscores vulnerabilities in healthcare cybersecurity, particularly regarding email account security and timely breach detection, while also highlighting the broader implications of PHI exposure in a sector already targeted by cybercriminals.
Source: https://www.claimdepot.com/investigations/saint-anthony-hospital-data-breach-2025
TPRM report: https://www.rankiteo.com/company/saint-anthony-hospital
"id": "sai2002920111825",
"linkid": "saint-anthony-hospital",
"type": "Breach",
"date": "2/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '6,679 (patients and employees)',
'industry': 'Healthcare',
'location': 'Chicago, Illinois, USA',
'name': 'Saint Anthony Hospital',
'type': 'Nonprofit Hospital'}],
'attack_vector': 'Email Account Compromise',
'customer_advisories': 'Affected individuals were notified with recommended '
'actions (e.g., credit monitoring, fraud alerts, and '
'reporting suspicious activity).',
'data_breach': {'data_exfiltration': 'Likely (unauthorized access to email '
'accounts)',
'number_of_records_exposed': '6,679',
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (includes PII and PHI)',
'type_of_data_compromised': ['Full name',
'Address',
'Date of birth',
'Social Security number',
'Date(s) of service',
'Telephone numbers',
'Medical information']},
'date_detected': '2025-02-06',
'date_publicly_disclosed': '2025-09-12',
'description': 'Saint Anthony Hospital, an independent, nonprofit, '
'faith-based acute care community hospital in Chicago, '
'Illinois, discovered on February 6, 2025, that an '
'unauthorized party may have accessed a limited number of '
'employee email accounts. The breach exposed personally '
'identifiable information (PII) and personal health '
'information (PHI) of at least 6,679 patients and employees. '
'The incident was disclosed to the U.S. Department of Health '
'and Human Services on September 12, 2025.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'exposure of sensitive patient and '
'employee data',
'data_compromised': ['PII', 'PHI'],
'identity_theft_risk': 'High (due to exposure of SSNs, medical '
'info, and other PII)',
'legal_liabilities': 'Potential lawsuits and compensation claims '
'(e.g., Shamis & Gentile P.A. investigation)',
'systems_affected': ['Employee Email Accounts']},
'initial_access_broker': {'entry_point': 'Employee email accounts',
'high_value_targets': ['PII', 'PHI']},
'investigation_status': 'Ongoing (as of public disclosure in September 2025; '
'class-action investigation by Shamis & Gentile P.A.)',
'recommendations': ['Monitor credit reports and financial accounts for '
'suspicious activity',
'Place a fraud alert or security freeze on credit files '
'with Equifax, Experian, and TransUnion',
'Watch for unusual medical bills or insurance statements',
'Review communications from Saint Anthony Hospital and '
'retain copies',
"Contact the hospital's toll-free response line "
'(877-580-4384) for questions'],
'references': [{'source': 'Shamis & Gentile P.A. Investigation Notice'}],
'regulatory_compliance': {'legal_actions': 'Potential class-action lawsuit '
'(investigated by Shamis & Gentile '
'P.A.)',
'regulations_violated': ['HIPAA (likely, due to '
'exposure of PHI)'],
'regulatory_notifications': 'U.S. Department of '
'Health and Human '
'Services (notified on '
'2025-09-12)'},
'response': {'communication_strategy': {'customer_advisories': 'Notices sent '
'to affected '
'individuals '
'with '
'recommended '
'actions '
'(e.g., credit '
'monitoring, '
'fraud alerts)',
'public_disclosure': 'Disclosed to '
'U.S. Department '
'of Health and '
'Human Services '
'on 2025-09-12',
'toll_free_response_line': '877-580-4384 '
'(available '
'Mon-Fri, '
'8 a.m. to '
'5 p.m. '
'CT)'},
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'third_party_assistance': True},
'threat_actor': 'Unauthorized Party (Unknown)',
'title': 'Saint Anthony Hospital Data Breach (February 2025)',
'type': 'Data Breach (Unauthorized Email Access)'}