A data breach at a third-party provider has potentially exposed the private medical information of patients at Northwestern Memorial HealthCare (NMHC) providers.
Unknown actors gained unauthorized access to a database owned by Elekta, which provides a cloud-based platform that handles legally-required cancer reporting to the State of Illinois.
In a security advisory, the healthcare provider, based in Chicago, said that the attackers made a copy of the datasets, which include patient names, dates of birth, Social Security numbers, health insurance information, and medical record numbers.
The database also contained clinical information related to cancer treatment, including medical histories, physician names, dates of service, treatment plans, diagnoses, and/or prescription information.
Those potentially affected are patients of Northwestern Medicine Central DuPage Hospital, Northwestern Medicine Delnor Community Hospital, Northwestern Medicine Huntley Hospital, Northwestern Medicine Kishwaukee Hospital, Northwestern Medicine Lake Forest Hospital, Northwestern Medicine McHenry Hospital, Northwestern Memorial Hospital, Northwestern Medicine Valley West Hospital, and Northwestern Medicine Valley West Hospital.
NMHC said that no financial information was accessed. Any patients believed to have been affected will be notified by post. NMHC will also be offering free credit monitoring services to those whose Social Security numbers were exposed.
“Patients are encouraged to review statements from their health insurer or healthcare provider, and to contact them immediately if they see any services they did not receive,” the statement reads.
“We regret that this incident occurred and are committed to protecting the security and privacy of patient information.”
NMHC also said it was “re-evaluating its relationship with Elekta”.
The Daily Swig reached out to NMHC, which directed us to their statement.
Third-party perils
The attackers did not access NMHC’s systems, networks, or health records, the company confirmed.
Rather, the incident was a stark reminder about the risks of using third-party software or services.
The notorious Blackbaud incident is a good example of what can happen as a result of a cyber-attack at a service provider.
Hundreds of charitable organizations and fundraising initiatives were affected by the ransomware attack, which exposed the personal details of financial donors.
