OSF HealthCare

OSF HealthCare System operates as a healthcare provider in the United States, with documented facilities across Illinois and Michigan. The organization delivers medical services encompassing patient care, as evidenced by the types of health information managed, including patient records, medical imaging, treatment documentation, and administrative data. Its operational scope involves multiple departments and facilities, handling sensitive protected health information such as ultrasounds, maternity files, pulmonary test results, and explanation of benefits statements. The system's structure supports comprehensive healthcare delivery, though specific details regarding service specializations or regulatory roles are not explicitly defined in available information. OSF HealthCare's footprint includes historical and current patient data spanning several years, indicating a long-standing presence in the healthcare sector within its geographic markets.

The organization has experienced significant cybersecurity incidents that underscore challenges in safeguarding patient and staff information. In June 2021, OSF HealthCare was targeted by the Xing Team ransomware group, resulting in the exfiltration and public release of 112 GB of data after the organization reportedly refused to cooperate. This breach exposed extensive patient records, over 516,000 images containing protected health information, staff data, emails, contracts, and financial details. Prior to this, in August 2020, OSF HealthCare notified patients of a data breach stemming from a ransomware attack on its third-party service provider Blackbaud, which compromised names, contact details, dates of birth, treatment locations, physician names, and medical record numbers. These incidents involved both current and historical records and affected multiple facilities, though the organization did not publicly acknowledge the 2021 incident at the time of reporting. The breaches highlight the vulnerability of healthcare data systems to external threats and the potential for large-scale exposure of personally identifiable information across interconnected healthcare networks.