Personal information of 348,000 people potentially exposed in NorthShore data breach

NorthShore University HealthSystem is reporting that protected health information of its patients was involved in a data security breach. The system has sent notification letters to individuals who have been affected by this incident.

According to the Chicago Tribune, the personal information of 348,000 people were potentially exposed in the breach. Northwestern Memorial Healthcare alone said it recently notified about 56,000 donors and patients that their information may have become compromised. The breaches have been reported to the U.S. Department of Health and Human Services' Office for Civil Rights.

WHAT'S THE IMPACT?

On July 22, NorthShore learned of a data security incident from a company named Blackbaud, a software services provider to 35,000 nonprofit fundraising entities worldwide, including NorthShore Foundation. According to Blackbaud, the incident involved a ransomware attack on its systems between February 7 and May 20, during which time unauthorized individuals accessed and extracted some of Blackbaud's client files.

When it learned of the incident, NorthShore immediately reviewed the Blackbaud notification and requested additional information to mitigate any effects. Blackbaud said no credit card, bank account information, social security numbers, or user login credentials and passwords were compromised or accessed. 

However, NorthShore determined that some PHI was breached including patients' full name, date of birth, contact information (address, phone number and e-mail address), admission and discharge dates, locations of services, and physician names and specialties.

This incident was not a breach of NorthShore's internal applications or systems; that means no patient medical records were accessed, the system said.

In response to the attack, Blackbaud said it took actions to mitigate the breach, including notifying appropriate law enforcement; successfully locking out the unauthorized users from its system; paying a financial demand in exchange for confirmation that the extracted files were destroyed; hiring a monitoring service to ensure there is no future use of the data breached; and heightening its security efforts to protect against future cyberattacks.

Based on the data involved, NorthShore said there's low risk of harm to affected patients. As such, the provider said there are currently no specific actions that donors or patients need to take. The system is notifying everyone affected and reminding them to regularly monitor personal accounts for any suspicious activity.

Anyone looking to find out if their data was involved in the breach can call NorthShore at 1-224-364-7200.

THE LARGER TREND

In June, HHS reported an increase in cybersecurity breaches in hospitals and providers' networks, which the agency thinks may be the result of hackers taking advantage of the distractions caused by the COVID-19 pandemic.

Between February and May, there were 132 reported breaches, an almost 50% increase from the same period last year. Natali Tshuva, CEO and cofounder of Sternum, an IoT cybersecurity company that provides medical device manufacturers with built-in security solutions, said that gaining control through patients' medical devices has become a common technique for hacking during the pandemic because more people are using remote care.

These breaches can be costly. The average breach, according to the Ponemon Institute, costs nearly $3 million and exposes roughly 10,000 records. 

Of the 54% of respondents in a Ponemon poll who had at least one data breach involving PHI over the past two years, 41% had six or more breaches during this time. They cite the human factor as their biggest vulnerability when it comes to data breaches, suggesting that automation technology and process changes will be key in stemming the tide.
 

Twitter: @JELagasse
Email the writer: jeff.lagasse@himssmedia.com