Illinois hospital notifies patients, employees of data breach after Royal gang posting

About 250,000 people potentially had their personal information exposed in a data breach in early April, an Illinois hospital disclosed this week.

Morris Hospital & Healthcare Centers, located about 60 miles southwest of Chicago, said it discovered the incident on April 4 and “immediately took steps” to respond. In an announcement Thursday, the organization said it “mailed notices to individuals whose personal information may have been involved.”

In a separate filing on Maine’s data breach notification site, the hospital said 248,943 people were potentially affected overall.

In late May, reports said the Royal ransomware gang had posted data from the organization on its leak site. As of May 23, the hospital had said it was still investigating the incident.

Thursday’s announcement does not mention a specific attacker, but it says “there were exports of data to an external cloud storage platform by an unauthorized party.” There is no mention of a ransom demand.

The potentially exposed data includes “names, addresses, dates of birth, social security numbers, medical record numbers and account numbers, and diagnostic codes (numeric codes used to identify diagnoses and treatments) of current and former healthcare patients at Morris Hospital AND the names, addresses, social security numbers, and dates of birth of current and former employees and their dependents and beneficiaries,” the hospital said.

After the incident was discovered, the hospital said it “reset passwords for all employee accounts and suspended mobile email access” and “identified and removed malicious files, enhanced its monitoring, logging, and detection capabilities.”

The organization hired unspecified “global security professionals” to investigate and assist with recovery efforts.

“After several weeks of investigation, the global security professionals were able to produce a listing of affected directories, which were subsequently used to harvest and review restored files for potentially affected personal information,” the hospital said.

Recent purported targets of the Royal group include the city of Dallas, a St. Louis suburb and an Iowa public broadcasting station. An apparent offshoot of the gang took credit for an attack on a Tampa Bay zoo in July.

Royal is also notorious for targeting the health care sector. In December the U.S. Department of Health and Human services warned about the group. In March the Cybersecurity and Infrastructure Security Agency issued a broader alert about Royal targeting critical infrastructure in general.