Prevea Health in Green Bay, WI, and Hospital Sisters Health System (HSHS) in Springfield, IL suffered a cyberattack that triggered a system outage on August 27, 2023. This incident impacted their computer networks, phone systems, and websites. The outage continued for a few days, at which time Prevea and HSHS operations followed downtime standard measures. Because of the attack, their websites and some apps, such as the MyPrevea and MyChart applications, were offline. HSHS could not process online payments since its computer network was down, nevertheless, it continued providing patient care.
HSHS decided to put outstanding payments collection on hold while it was restoring systems after the attack. However, several of its partners from Wisconsin and Illinois still billed their patients. At the beginning of September, HSHS posted an open letter for its patients cautioning them about the possible data misuse. This is a response to reports that were received from a few patients who were called by an unidentified third party through email, text message, and phone claiming to be a representative of HSHS and trying to collect payment for services. HSHS mentioned in the letter that patients should not reply to suspicious requests for payment through SMS, email, and phone and to cautiously check billing statements before paying. HSHS stated in case of receiving a message or SMS, patients should save it and forward it via email to [email protected] for investigation. Prevera Health and HSHS would look into the matter and confirm whether the request was genuine or fraudulent.
HSHS has already announced the unauthorized access to its systems by a third party. The personal data and protected health information (PHI) of patients and HSHS workers were potentially accessed. Investigation of the breach and analysis of the data possibly affected are ongoing. Although the open letter indicates the attempted misuse of stolen information, HSHS stated it does not know of any incidents of identity theft or fraud. On October 26, 2023, HSHS began sending notification letters to the impacted people, who were provided free identity theft protection and credit monitoring services. When the cyberattack was reported, HSHS mentioned that the full investigation of the incident, analysis of files, and notification of affected people would take time to complete. HSHS explained notification letters are to be sent on a rolling basis with the progress of the file review.
HSHS mentioned the proper authorities were advised concerning the breach. The HHS Office for Civil Rights breach portal presently lists the breach as affecting the PHI of 500 people, which is a placeholder number as the file review is not yet complete. HSHS has already affirmed that the data exposed in the attack involved names, addresses, birth dates, driver’s license numbers, Social Security numbers, medical record numbers, medical insurance data, and some medical and treatment data. In compliance with HIPAA, notification letters were mailed on a rolling basis starting on August 30, 2024, and will soon be completed. In February 2025, HSHS’ legal counsel informed the Maine Attorney General that the breach impacted 882,782 people.
Image credit : logo©Hospital Sisters Health System / Gorodenkoff, AdobeStock
