Cyber Incident Victim: Morris Hospital & Healthcare Centers

On or around April 4, 2023, Morris Hospital & Healthcare Centers in Morris, Illinois, experienced a cybersecurity incident. The hospital detected unusual activity on its computer network that indicated an unauthorized third party had gained access. This detection prompted the immediate launch of an investigation, which was conducted with the assistance of independent cybersecurity forensic experts. The hospital confirmed that its electronic medical record system, which is separate from the compromised network, was unaffected and remained secure throughout the incident. This separation ensured that patient care delivery and hospital operations were not impacted by the event.

The Royal ransomware group subsequently claimed responsibility for the attack. On May 22, 2023, this group added Morris Hospital & Healthcare Centers to its data leak site. Along with the listing, the group published a sample of files that were allegedly stolen during the breach. This public claim by the threat actor provided external confirmation of the attack's nature. The hospital's investigation, which remained active, aimed to determine the full extent of the incident and whether any sensitive patient information was involved.

The investigation process involved an extensive review of each individual file on the affected servers to determine whether any sensitive data was compromised. This meticulous process, known as e-discovery, was necessary due to the nature of the external system breach. The hospital stated that the numerous IT security measures already in place prior to the attack were instrumental in limiting the severity of the incident and preventing a more severe outcome. These pre-existing security controls helped contain the damage.

By June 20, 2023, the breach was officially discovered in terms of its full scope and impact on personal data. The forensic investigation determined that the incident was an external system breach, or hacking event. The information acquired by the unauthorized party included names or other personal identifiers in combination with Social Security Numbers. The total number of persons affected nationwide was determined to be 248,943 individuals. This figure included 25 residents of the state of Maine.

The hospital, through its outside counsel, provided formal notification of the breach. The type of notification provided to consumers was written notice. The dates of consumer notification were set for August 17, 2023. As part of its response, Morris Hospital & Healthcare Centers offered identity theft protection services to the affected individuals. These services were provided by Experian and included 12 months of credit monitoring, identity restoration assistance, and theft insurance. This offering was a direct measure to help protect those whose sensitive information was compromised in the attack.

The incident was reported to the appropriate authorities, including the Maine Attorney General's office. The report confirmed that because the number of affected Maine residents exceeded 1,000, the consumer reporting agencies had been notified as required by law. The hospital had not issued any previous breach notifications within the 12 months preceding this incident. The investigation into the breach confirmed that while the electronic medical record system was untouched, patient data stored on the compromised network was accessed. The hospital committed to providing further updates as more information became available from the ongoing investigation.