38K UChicago Medicine patients affected by debt collector's data breach, officials say
A data breach last summer might have exposed the personal information of nearly 40,000 patients of a University of Chicago Medicine medical group, the hospital system announced Wednesday.
A spokesperson said the incident was part of a nationwide data breach from third-party vendor Nationwide Recovery Services, who notified the hospital in April that they had experienced a cybersecurity incident of July 2024.
Nationwide Recovery Services is used by a wide variety of hospitals across the country, and multiple medical groups have reported being affected by the growing security incident.
UChicago Medicine officials said only patients of UCM Medical Group were affected by the breach, not patients of the University of Chicago Medical Center.
The data gathered includes personal information like first and last name, address, date of birth, Social Security number, financial information and/or medical information that may have been given to Nationwide Recovery Service for them to conduct financial services on the behalf UC Medical Group.
UChicago said it has ended its relationship with Nationwide Recovery Services. Patients affected are being contact directly by the medical group and should monitor their account statements and credit reports for any indication of fraud.
The data breach follows to other similar incidents at other hospital systems in the past year, and that's why security experts said the latest incident should be a reminder for everyone to be aware of an uptick in these breaches or attacks in the healthcare field.
"When somebody performs medical fraud, they can make a lot of money," said Scott Schober, a cybersecurity and wireless technology expert. "Our personal information isn't worth, you know, $5 or $10. Now suddenly it's worth thousands of dollars to the right bidder when it's sold on the dark web."
The UChicago breach follows a breach announced at Loretto Hospital in Chicago last month.
Last year, Lurie Children's Hospital experienced a nearly month-long network outage after a cyberattack. The group Rhysida claimed responsibility for that attack and appeared to be selling data for more than $3 million on the dark web.
"I don't think these individual breaches are necessarily connected per se. What it really speaks to, though, is the rising cybercrime targeting the healthcare industry, targeting hospitals," Schober said.
"That's a lot harder to be on the lookout for, but also at the same time has much more wide-reaching effects outside of just Chicago," said Jason Baker of GuidePoint Security, a cyber threat intelligence expert, who spoke to the CBS News Chicago investigators about the attack on Lurie last year.
Baker said the UChicago incident stands out because it's a third-party breach.
"It would be far worse if we were talking about internal University of Chicago systems, where that personal health information might actually have been located," he said.
Baker added that the health care sector has been not only targeted, but impacted increasingly year over year by cybercrime — ranging from low-level data breaches to full-scale ransomware intrusions.
"In years gone by — at least in the ransomware space and a lot of cybercrime — healthcare, especially those that provided lifesaving care, was often considered off limits or taboo," Baker said, "but that's really faded away in the last year or two."
The problem is also magnified by budget and resource constraints faced by health care organizations in keeping data safe, Baker said.
The best way you can protect yourself as these incidents continue to rise?
"Being mindful and setting alerts is your first line of defense," Baker said.
"Make sure, number one, you have your credit frozen," Schober said. "That's one of the main things every American can do, and it doesn't cost you a cent, yet most people still don't do it."
No one from the hospital systems mentioned in this story were available to for interviews on Wednesday.
Governors State University professor Bill Kresse, a certified fraud examiner also known as Professor Fraud, offered the following tips:
Data breaches involving personal identifying information have become ubiquitous. As such, you are either a victim of a data breach, or soon will be.
People have to be vigilant, wary, and proactive.
Be vigilant in monitoring your bank and credit card accounts; reporting any unusual activity to that financial institution or credit card company.
Be wary of any emails — or increasingly text messages —reporting problems with your credit. These may be from fraudsters. Do not click on the link in the message; rather, contact your bank or credit card company at a trusted email address or telephone number.
Be proactive by placing a security freeze on your credit report with all three major credit reporting agencies. The freezes can be easily lifted and reapplied if you are in the process of opening new credit card accounts, or applying for a loan or mortgage.
It is unfortunate that we have to respond this way, but our internet-based economy has made things more convenient for consumers - and for fraudsters. But if one stays alert, they can avoid a lot of difficulties.
