The California Office of the Attorney General disclosed a data breach affecting Advocate Sherman Hospital, traced back to May 8, 2018, but reported on March 13, 2019. The incident stemmed from unauthorized access to a server operated by Jobscience, a former third-party service provider. The compromised data included highly sensitive personal information of affected individuals, such as names, contact details, dates of birth, resumes, and Social Security Numbers (SSNs). The exposure of SSNs poses a severe risk of identity theft, financial fraud, and long-term reputational harm to the victims. While the breach did not involve ransomware or a direct cyberattack on the hospital’s systems, the failure to secure third-party vendor data highlights critical vulnerabilities in supply chain cybersecurity. The delayed detection (nearly a year later) further exacerbates the potential damage, as affected individuals remained uninformed and exposed for an extended period. The breach underscores the broader industry challenge of safeguarding patient and employee data entrusted to external partners, with legal and regulatory repercussions likely under HIPAA and state data protection laws.
Source: https://oag.ca.gov/ecrime/databreach/reports/sb24-145430
TPRM report: https://www.rankiteo.com/company/sherman-hospital
"id": "she721082025",
"linkid": "sherman-hospital",
"type": "Breach",
"date": "5/2018",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Healthcare',
'location': 'Illinois, USA',
'name': 'Advocate Sherman Hospital',
'type': 'Healthcare Provider'},
{'industry': 'HR/Recruitment Technology',
'name': 'Jobscience',
'type': 'Service Provider (Former)'}],
'attack_vector': 'Unauthorized Access (Third-Party Service Provider)',
'data_breach': {'data_exfiltration': 'Potential (Unauthorized Access)',
'file_types_exposed': ['Resumes', 'Databases (likely)'],
'personally_identifiable_information': ['Names',
'Contact Information',
'Dates of Birth',
'Social Security '
'Numbers'],
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Employment Data']},
'date_detected': '2018-05-08',
'date_publicly_disclosed': '2019-03-13',
'description': 'The California Office of the Attorney General reported a data '
'breach involving Advocate Sherman Hospital on March 13, 2019. '
'The breach, which occurred on May 8, 2018, was due to '
'unauthorized access to data on the server of a former service '
'provider, Jobscience, potentially exposing names, contact '
'information, dates of birth, resumes, and Social Security '
'Numbers of affected individuals.',
'impact': {'data_compromised': ['Names',
'Contact Information',
'Dates of Birth',
'Resumes',
'Social Security Numbers'],
'identity_theft_risk': 'High (PII and SSNs exposed)',
'systems_affected': ['Jobscience Server']},
'initial_access_broker': {'entry_point': 'Jobscience Server (Third-Party)',
'high_value_targets': ['PII of Advocate Sherman '
'Hospital '
'Employees/Applicants']},
'post_incident_analysis': {'root_causes': ['Third-Party Vendor Security Lapse',
'Unauthorized Server Access']},
'references': [{'date_accessed': '2019-03-13',
'source': 'California Office of the Attorney General'}],
'regulatory_compliance': {'regulations_violated': ['Potential HIPAA '
'(Healthcare Data)',
'California Data Breach '
'Notification Law'],
'regulatory_notifications': ['California Office of '
'the Attorney '
'General']},
'response': {'communication_strategy': 'Public Disclosure via California '
'Office of the Attorney General'},
'title': 'Data Breach at Advocate Sherman Hospital via Jobscience',
'type': 'Data Breach'}