DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

IL: OSF Healthcare discloses ransomware incident

Posted on October 6, 2021 by Dissent

In May, 2021, DataBreaches.net sent an email inquiry to OSF Healthcare in Illinois after seeing that threat actors known as Xing Team claimed to have attacked them and exfiltrated data.  OSF Healthcare never responded to the inquiry.  In June, after Xing Team started dumping what appeared to be patient data, DataBreaches.net sent OSF Healthcare a second email. Again they did not respond. On June 11, DataBreaches.net reported on the incident and provided redacted screencaps of some of the dumped data.

This week, OSF Healthcare issued a statement that appears to relate to the incident described above. They do not explain why with the data dumped on or about June 3, it took them until the first week in October to notify people and why their notification does not tell them that their protected health information was actually dumped on the dark web for anyone to help themselves to. Nor do they tell people that the data are still publicly available and that according to a counter on the site, the listing has been accessed more than 350,000 times.

This incident has since been reported to HHS’s public breach tool as impacting 53,907 patients.

The following notice was posted on their web site this week.  DataBreaches.net comments that in our opinion, there is absolutely no excuse for telling patients that their data “may have been” involved when the stolen data have been publicly dumped and the covered entity knows that this was not a “may have been” involved but a was involved. It is time for HHS OCR to crack down on such misleading notifications and require more truthfulness. If there are people whose data truly may have been exfiltrated but the entity cannot confirm that, then such “may have been” language is appropriate. But for those where data was actually dumped, it is not acceptable to try to pretend that it only “may have been” involved.


OSF HealthCare is committed to protecting the security and privacy of our patient information. On October 1, 2021, we mailed notification letters to some patients of OSF HealthCare Little Company of Mary Medical Center and OSF HealthCare Saint Paul Medical Center whose information may have been involved in a data security incident.

We identified and addressed a data security incident that disrupted the operations of some of our IT systems. The incident was first identified on April 23, 2021, and we immediately took steps to secure our systems, launched an investigation with the assistance of a third-party forensic investigator, and notified law enforcement. The investigation determined that an unauthorized party gained access to our systems from March 7, 2021, to April 23, 2021. As part of the incident, certain files were accessed relating to some of our patients of OSF Little Company of Mary and OSF Saint Paul. In order to determine what data was involved, we conducted a thorough review of those files.

On August 24, 2021, the review of the files involved determined that they may have contained some of the following information: Patient names and contact information; dates of birth; Social Security numbers; driver’s license numbers; state or government identification numbers; treatment and diagnosis information and codes; physician names, dates of service, hospital units, prescription information and medical record numbers; and Medicare, Medicaid or other health insurance information. For a smaller subset of patients, financial account information, credit or debit card information or credentials for an online financial account were also contained in the files involved in the incident.

For patients whose health information may have been involved, we recommend that they review the statements they receive from their health care providers and contact the relevant provider immediately if they see services they did not receive. Additionally, for eligible individuals whose Social Security numbers or driver’s license numbers may have been involved in the incident, we are offering complimentary credit monitoring and identity protection services through Experian.

We take this incident very seriously and sincerely regret any concern this may cause. To help prevent something like this from happening again, we have implemented additional safeguards
and technical security measures to further protect and monitor our systems. A dedicated call center has been established to answer any questions about this incident. The call center can be reached at (855) 551-1669, Monday through Friday, between 8 a.m. and 5:30 p.m. Central Time.

Source: OSF Healthcare


Updated at 2:34 pm to include report to HHS that 53,907 patients were impacted.

Category: Breach IncidentsCommentaries and AnalysesHealth DataMalwareU.S.

Post navigation

← Identity Theft Resource Center to Share Latest Data Breach Analysis With U.S. Senate Commerce Committee; Number of Data Breaches in 2021 Surpasses all of 2020
Telegraph newspaper bares 10TB of subscriber data and server logs to world+dog →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Fraudsters, murderers, students: who the GRU assembled a team of hacker provocateurs from and why it failed
  • Order of Psychologists of Lombardy fined 30,000 € for inadequate data security protection and detection following ransomware attack
  • Lower Merion School District says a data breach was caused by a computer glitch
  • After $1 Million Ransom Demand, Virgin Islands Lottery Restores Operations Without Paying Hackers
  • Junior Defence Contractor Arrested For Leaking Indian Naval Secrets To Suspected Pakistani Spies
  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.