Cyber Incident Victim: Sinai Health System

On October 2, 2017, Sinai Health System, a Chicago-based hospital network serving the city’s West and Southwest sides, experienced a phishing attack compromising at least two employee email accounts. The organization detected the breach within hours of its occurrence and initiated immediate containment measures. An investigation involving external cybersecurity experts confirmed unauthorized access to the email accounts but found no evidence that attackers viewed or exfiltrated patient information. The incident potentially exposed data belonging to 11,350 individuals, though Sinai emphasized it could not definitively confirm whether any protected health or financial records were actually accessed. No compromise of financial systems or payment data was identified during the forensic review. The health system assessed the overall risk of harm to patients as low based on these findings.

Sinai Health System began notifying all potentially affected patients on December 7, 2017, approximately two months after discovering the breach. The organization partnered with an identity protection service to provide complimentary credit monitoring and identity theft protection for 12 months to impacted individuals. A dedicated call center (855-260-2768) was established to address patient inquiries. In public statements, Sinai reiterated its commitment to safeguarding patient privacy and protecting personal health information, while apologizing for any inconvenience caused by the incident. The health system did not disclose whether law enforcement was involved or if operational disruptions occurred beyond the compromised email accounts.