St. Anthony Hospital is investigating a breach of its email system that may have exposed the personal information of 6,679 people.
The Little Village hospital learned in February that an “unauthorized actor” accessed a small number of hospital employee email accounts, according to a statement from the hospital.
Though the hospital is still investigating, with the help of cybersecurity experts, it has learned that information such as names, addresses, dates of birth, Social Security numbers, medical record numbers, patient account numbers, prescription information and medical histories may have been exposed.
At this point, the hospital said it has no evidence that any of the information has been misused or that the incident has led to identity theft or fraud. The hospital said it will notify individuals if it learns that their information has been affected.
“We deeply value the trust placed in us to protect personal information,” the hospital said in a statement. “We are unwavering in our commitment to privacy and security, and we acted swiftly upon discovery to safeguard the data in our care.”
The hospital is encouraging patients and employees to protect themselves by placing a fraud alert/security freeze on their credit files, getting free credit reports, and reviewing their financial account statements and credit reports. People with questions about the incident can call 877-580-4384 from 9 a.m. to 5 p.m. Monday through Friday.
Cybersecurity incidents have become increasingly common at hospitals and health systems in recent years, which are often targeted because of their size and the wealth of personal information they hold.
In May, UChicago Medicine disclosed that the personal information of about 38,000 patients of a UChicago Medicine medical group may have been exposed in an incident involving one of the group’s vendors. A month earlier, Loretto Hospital on the city’s West Side said it was the victim of a hacking incident that may have exposed the information of more than 500 people.
Health system Ascension and Lurie Children’s Hospital were also targeted last year.
Health systems must report breaches of protected health information affecting 500 or more people to the U.S. Department of Health and Human Services’ Office for Civil Rights, which posts reports on a public website.
