In May, 2021, DataBreaches.net sent an email inquiry to OSF Healthcare in Illinois after seeing that threat actors known as Xing Team claimed to have attacked them and exfiltrated data. OSF Healthcare never responded to the inquiry. In June, after Xing Team started dumping what appeared to be patient data, DataBreaches.net sent OSF Healthcare a second email. Again they did not respond. On June 11, DataBreaches.net reported on the incident and provided redacted screencaps of some of the dumped data.
This week, OSF Healthcare issued a statement that appears to relate to the incident described above. They do not explain why with the data dumped on or about June 3, it took them until the first week in October to notify people and why their notification does not tell them that their protected health information was actually dumped on the dark web for anyone to help themselves to. Nor do they tell people that the data are still publicly available and that according to a counter on the site, the listing has been accessed more than 350,000 times.
This incident has since been reported to HHS’s public breach tool as impacting 53,907 patients.
The following notice was posted on their web site this week. DataBreaches.net comments that in our opinion, there is absolutely no excuse for telling patients that their data “may have been” involved when the stolen data have been publicly dumped and the covered entity knows that this was not a “may have been” involved but a was involved. It is time for HHS OCR to crack down on such misleading notifications and require more truthfulness. If there are people whose data truly may have been exfiltrated but the entity cannot confirm that, then such “may have been” language is appropriate. But for those where data was actually dumped, it is not acceptable to try to pretend that it only “may have been” involved.
OSF HealthCare is committed to protecting the security and privacy of our patient information. On October 1, 2021, we mailed notification letters to some patients of OSF HealthCare Little Company of Mary Medical Center and OSF HealthCare Saint Paul Medical Center whose information may have been involved in a data security incident.
We identified and addressed a data security incident that disrupted the operations of some of our IT systems. The incident was first identified on April 23, 2021, and we immediately took steps to secure our systems, launched an investigation with the assistance of a third-party forensic investigator, and notified law enforcement. The investigation determined that an unauthorized party gained access to our systems from March 7, 2021, to April 23, 2021. As part of the incident, certain files were accessed relating to some of our patients of OSF Little Company of Mary and OSF Saint Paul. In order to determine what data was involved, we conducted a thorough review of those files.
On August 24, 2021, the review of the files involved determined that they may have contained some of the following information: Patient names and contact information; dates of birth; Social Security numbers; driver’s license numbers; state or government identification numbers; treatment and diagnosis information and codes; physician names, dates of service, hospital units, prescription information and medical record numbers; and Medicare, Medicaid or other health insurance information. For a smaller subset of patients, financial account information, credit or debit card information or credentials for an online financial account were also contained in the files involved in the incident.
For patients whose health information may have been involved, we recommend that they review the statements they receive from their health care providers and contact the relevant provider immediately if they see services they did not receive. Additionally, for eligible individuals whose Social Security numbers or driver’s license numbers may have been involved in the incident, we are offering complimentary credit monitoring and identity protection services through Experian.
We take this incident very seriously and sincerely regret any concern this may cause. To help prevent something like this from happening again, we have implemented additional safeguards
and technical security measures to further protect and monitor our systems. A dedicated call center has been established to answer any questions about this incident. The call center can be reached at (855) 551-1669, Monday through Friday, between 8 a.m. and 5:30 p.m. Central Time.
Source: OSF Healthcare
Updated at 2:34 pm to include report to HHS that 53,907 patients were impacted.