Hospital Sisters Health System (HSHS) in Springfield, IL, and Prevea Health in Green Bay, WI, were affected by a cyberattack in late August which caused an outage on August 27, 2023, that affected its computer systems, phone lines, and websites. The outage lasted for several days, during which time HSHS and Prevea operated under downtime procedures. The attack took its websites and certain applications offline, including the MyChart and MyPrevea applications. HSHS was also unable to process online payments as its computer system was offline, but care continued to be provided to patients.

HSHS decided to suspend collecting payments for outstanding bills while it was recovering from the attack, although some of its partners in Illinois and Wisconsin continued to send bills to patients. In early September, HSHS published an open letter to patients warning them about the potential misuse of their information, as reports had been received from some patients who had been contacted by email, SMS, and phone by an unidentified third party that claimed to be a HSHS representative who was attempting to obtain payment for services. In the letter, HSHS advised patients not to respond to suspicious requests via email, SMS, and phone for payment and to carefully check bills before making any payment. HSHS said if a message or SMS is received, to save it and email it to questions@hshs.org to allow it to be investigated and HSHS and Prevea Health would determine if such a request was legitimate or fraudulent.

HSHS has now confirmed that an unauthorized third party had accessed its systems that contained the personal and protected health information of patients and HSHS employees and said it has been investigating the breach and reviewing the data potentially compromised in the incident. While the open letter suggests that there was attempted misuse of stolen data, HSHS said it is unaware of any cases of fraud or identity theft. On October 26, 2023, notification letters started to be sent to the affected individuals, who have been offered complimentary credit monitoring and identity theft protection services. HSHS said it takes time to fully investigate incidents and notify the affected individuals, and more time is required for the data review process; however, notifications are being issued on a rolling basis.

HSHS said the appropriate authorities have been informed about the breach; however, the incident has yet to appear on the HHS’ Office for Civil Rights breach portal and neither HSHS nor Previa have publicly confirmed how many individuals have potentially been affected.

The post Hospital Sisters Health System Starts Notifying Individuals About August Cyberattack appeared first on HIPAA Journal.