Cyber Incident Victim: OSF HealthCare
Date:
Jun 2021
Location:
United States of America
Summary
OSF Healthcare experienced a cyberattack by the Xing Team ransomware group, resulting in the exfiltration and public release of 112 GB of sensitive data after the organization reportedly refused to cooperate. The compromised information included extensive patient records such as ultrasounds, maternity files, pulmonary test results, and over 516,000 images containing explanation of benefits statements and medical documentation, with filenames exposing protected health information through patient identifiers. Staff data, emails, contracts, and financial details were also leaked, revealing personally identifiable information across multiple departments and facilities. The breach involved both current and historical records dating back several years, though the organization did not publicly acknowledge the incident or confirm notification efforts at the time of reporting.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On June 3, 2021, the threat actor group Xing Team published 112 gigabytes of data allegedly exfiltrated from OSF Healthcare, an Illinois-based integrated health system operating 14 hospitals and over 350 facilities across Illinois and Michigan. The attackers claimed the data release resulted from OSF Healthcare's refusal to cooperate with their demands, stating "participants post all data here. You can get all! Emails, phones, staff data, patients information, contracts, finance information, pictures – all is available!" Analysis of the dumped data revealed multiple categories of sensitive information, including a folder titled "PDF" containing approximately 4,700 maternity-related patient files from the Family Health Center. These files incorporated ultrasound records and other pregnancy documentation, with filenames exposing electronic protected health information (ePHI) through patient identifiers and test descriptions. A separate "PFT" folder held pulmonary function test records from St. Paul Medical Center, while a "png's" directory contained over 516,000 image files dating back to 2017, including explanation of benefits statements and patient records organized by month.
The breach exposed substantial volumes of sensitive data, with patient records spanning multiple years and clinical departments. File metadata and content analysis indicated potential exposure of thousands of patients' personal health information, though unique patient counts remained undetermined due to duplicate records across folders. OSF Healthcare did not respond to multiple inquiries from DataBreaches.net sent on May 20 and June 2, 2021, nor had they issued public statements about the incident as of the July 5, 2021 article update. The compromised data included staff information, financial records, and contractual documents alongside patient data. No information was provided regarding operational disruptions, containment measures, or whether the breach affected OSF's core clinical systems. As of July 2021, the incident did not appear in HHS's public breach database, and the scope of required patient notifications remained unclear despite evidence suggesting significant notification obligations due to the volume and sensitivity of exposed health information.