Data Breach at Third-Party Provider Exposed Medical Information of US Healthcare Patients


A data breach at a third-party provider has potentially leaked patients' confidential medical information from Northwestern Memorial HealthCare (NMHC) providers.

Unknown attackers obtained unauthorized access to a database managed by Elekta, a cloud-based platform that manages legally mandated cancer reporting to the States of Illinois. 

The healthcare provider, located in Chicago, reported the attackers copied the datasets, which included patient names, dates of birth, Social Security numbers, health insurance information, and medical record numbers, according to a security alert. 

The database also constituted of clinical information related to cancer treatment, including medical histories, physician names, dates of service, treatment plans, diagnoses, and/or prescription information. 

Those potentially affected are patients of Northwestern Medicine Central DuPage Hospital, Northwestern Medicine Delnor Community Hospital, Northwestern Medicine Huntley Hospital, Northwestern Medicine Kishwaukee Hospital, Northwestern Medicine Lake Forest Hospital, Northwestern Medicine McHenry Hospital, Northwestern Memorial Hospital, Northwestern Medicine Valley West Hospital, and Northwestern Medicine Valley West Hospital. 

According to the NMHC, no financial information was accessed. Patients who are suspected of being impacted will be notified via post. The NMHC will also provide free credit monitoring to people whose Social Security numbers have been compromised. 

NMHC also stated it was “re-evaluating its relationship with Elekta”. 

“Patients are encouraged to review their health insurer or healthcare provider statements and to contact them immediately if they see any services they did not receive. We regret that this incident occurred and are committed to protecting the security and privacy of patient information.” the statement reads. 

According to the company, the attackers did not get access to NMHC's systems, networks, or health records. The incident served as a harsh warning of the dangers of relying on third-party software or services.

A well-known example of what might happen as a result of a cyber-attack on a service provider is the Blackbaud event. The ransomware assault, which revealed the personal information of financial donors, impacted hundreds of nonprofit organizations and fundraising campaigns.