[{"data":1,"prerenderedAt":186},["ShallowReactive",2],{"article-slug-healthcare-data-breaches-in-illinois-and-texas-impact-nearly-600000":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":35,"sources":36,"events":48,"mitre_techniques":61,"mitre_mitigations":81,"d3fend_countermeasures":132,"iocs":145,"cyber_observables":146,"tags":167,"extract_datetime":174,"article_type":175,"impact_scope":176,"pub_date":40,"reading_time_minutes":185,"createdAt":174,"updatedAt":174},"72c22dac-2f8f-4e47-8880-87eb25bbd29e","healthcare-data-breaches-in-illinois-and-texas-impact-nearly-600000","Nearly 600,000 Patients Affected by Data Breaches at Three U.S. Healthcare Providers","Data Breaches at Healthcare Organizations in Illinois and Texas Impact Nearly 600,000","Three U.S. healthcare providers have disclosed significant data breaches affecting a combined total of nearly 600,000 individuals. The North Texas Behavioral Health Authority reported a network intrusion impacting 285,000 people. In Illinois, Southern Illinois Dermatology disclosed a breach affecting 160,000, an incident previously claimed by the Insomnia ransomware group. Additionally, Saint Anthony Hospital in Chicago revealed a compromised email incident affecting 146,000. These events highlight the persistent targeting of the healthcare sector and the exposure of sensitive patient data.","## Executive Summary\n\nThree U.S. healthcare organizations have reported significant data breaches to the U.S. Department of Health and Human Services (HHS), collectively impacting nearly 600,000 patients. The incidents, which occurred in Texas and Illinois, involve network intrusions and compromised business email accounts, leading to the unauthorized access and potential exfiltration of highly sensitive Personally Identifiable Information (PII) and Protected Health Information (PHI). The affected entities are the **North Texas Behavioral Health Authority** (285,000 individuals), **Southern Illinois Dermatology** (160,000 individuals), and **[Saint Anthony Hospital](https://www.sahchicago.org/)** in Chicago (146,000 individuals). The breach at Southern Illinois Dermatology was previously claimed by the **Insomnia** ransomware group, underscoring the direct link between cyberattacks and large-scale data exposure in the healthcare sector.\n\n---\n\n## Threat Overview\n\nThe healthcare industry remains a prime target for cybercriminals due to the high value of stolen medical data and the critical nature of its operations, which makes it more likely to pay ransoms. These three incidents showcase different but common attack vectors targeting the sector.\n\n-   **North Texas Behavioral Health Authority:** This was a network server breach. Attackers gained access to the network between October 13 and October 15, 2025, and were able to access files containing PII for 285,000 individuals. This type of intrusion often results from an unpatched vulnerability, a phishing attack, or compromised credentials.\n\n-   **Southern Illinois Dermatology:** This incident, affecting 160,000 people, was also a network compromise. The **Insomnia** ransomware group claimed responsibility in February 2026, posting the clinic on its leak site and later leaking the stolen data. This is a classic double-extortion attack where data is both encrypted and stolen.\n\n-   **Saint Anthony Hospital:** This breach, impacting 146,000, resulted from a compromised email account. In February 2025, attackers gained access to two employee email inboxes containing patient PII and PHI. While the hospital stated this was unrelated, it has a history of being targeted, having been listed as a victim by the **[LockBit](https://attack.mitre.org/groups/G0115)** ransomware group in January 2024.\n\n## Technical Analysis\n\nWhile technical details are sparse, we can infer the likely TTPs based on the attack types.\n\n**Network Intrusion (North Texas BHA, Southern Illinois Dermatology):**\n1.  **Initial Access:** Likely achieved through exploiting a public-facing vulnerability, a successful phishing campaign, or using stolen remote access credentials.\n2.  **Lateral Movement & Discovery:** Attackers would have moved through the network to identify and access file servers containing patient data.\n3.  **Data Staging & Exfiltration:** Before deploying ransomware (in the Insomnia case), the attackers would have collected and compressed large volumes of data and exfiltrated it to their own servers.\n4.  **Impact:** For the ransomware attack, the final stage would be encrypting the files ([`T1486`](https://attack.mitre.org/techniques/T1486/)).\n\n**Business Email Compromise (Saint Anthony Hospital):**\n1.  **Credential Theft:** The employee email account credentials were likely stolen via a phishing email or credential stuffing attack.\n2.  **Unauthorized Access:** The attacker logged into the email accounts.\n3.  **Data Mining:** The attacker searched the mailboxes for sensitive information, attachments, and contacts, potentially setting up forwarding rules to monitor communications covertly.\n\n**MITRE ATT&CK TTPs:**\n- [`T1213 - Data from Information Repositories`](https://attack.mitre.org/techniques/T1213/): Accessing patient data from file servers or databases.\n- [`T1566 - Phishing`](https://attack.mitre.org/techniques/T1566/): A likely vector for both the email compromise and initial access for the network intrusions.\n- [`T1567 - Exfiltration Over Web Service`](https://attack.mitre.org/techniques/T1567/): Exfiltrating stolen patient data for double extortion.\n- [`T1486 - Data Encrypted for Impact`](https://attack.mitre.org/techniques/T1486/): Used by the Insomnia ransomware group against Southern Illinois Dermatology.\n- [`T1078 - Valid Accounts`](https://attack.mitre.org/techniques/T1078/): Used to access the employee email accounts at Saint Anthony Hospital.\n\n## Impact Assessment\n\nThe impact on the nearly 600,000 affected individuals is severe. The compromised data, including names, addresses, Social Security numbers, and medical information, can be used for identity theft, financial fraud, and highly targeted phishing scams. For the healthcare providers, the consequences include significant financial costs for incident response, legal fees, regulatory fines under **[HIPAA](https://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act)**, and long-term reputational damage. The disruption caused by such attacks can also impact patient care, leading to canceled appointments and delayed treatments, which poses a direct risk to patient safety.\n\n## IOCs — Directly from Articles\n\nNo specific file hashes, IP addresses, or domains were provided in the source articles.\n\n## Cyber Observables — Hunting Hints\n\nSecurity teams in healthcare can hunt for the following general patterns:\n\n| Type | Value | Description | Context |\n| :--- | :--- | :--- | :--- |\n| Log Source | VPN Logs | Look for logins from unusual geographic locations or multiple failed attempts followed by success. | Remote access logs. |\n| Network Traffic Pattern | Large data transfers from internal file servers to external IP addresses. | This could indicate data staging and exfiltration prior to a ransomware attack. | NetFlow, Firewall logs. |\n| Email Log Pattern | `New-InboxRule` or `Set-InboxRule` PowerShell commands | In Exchange/M365 logs, this can detect attackers creating malicious forwarding rules in compromised mailboxes. | Microsoft 365 audit logs. |\n| Process Name | `vssadmin.exe delete shadows` | A common precursor to ransomware deployment, aimed at preventing easy recovery. | EDR, Windows Event ID 4688. |\n\n## Detection & Response\n\n**Detection:**\n1.  **Email Security:** Implement advanced email filtering to detect phishing attempts. Monitor M365/Exchange audit logs for suspicious login activity and inbox rule creation.\n2.  **Network Monitoring:** Use network intrusion detection systems (NIDS) and monitor for large outbound data transfers.\n3.  **Endpoint Detection:** Deploy EDR solutions to detect ransomware-related behaviors like shadow copy deletion and mass file encryption.\n4.  **Threat Intelligence:** Monitor dark web forums and ransomware leak sites for mentions of your organization's name or data.\n\n**Response:**\n1.  **Containment:** Isolate affected systems or network segments to prevent further damage.\n2.  **Credential Reset:** In an email compromise, immediately reset the password for the affected account, revoke all active sessions, and review for malicious rules.\n3.  **Investigation:** Engage a third-party cybersecurity firm to conduct a forensic investigation to determine the scope and root cause of the breach.\n4.  **Notification:** Comply with all legal and regulatory notification requirements (e.g., HHS, state attorneys general, affected individuals).\n\n## Mitigation\n\n1.  **Multi-Factor Authentication (MFA):** Mandate MFA for all accounts, especially for email, VPN, and other remote access systems.\n2.  **Patch Management:** Maintain a rigorous patch management program to address vulnerabilities in servers, network devices, and endpoints in a timely manner.\n3.  **Employee Training:** Conduct regular security awareness training to help employees recognize and report phishing attempts.\n4.  **Data Encryption:** Encrypt sensitive patient data both at rest and in transit to make it unusable to attackers if stolen.\n5.  **Backup and Recovery:** Maintain regular, tested, and offline backups of critical data to ensure you can recover from a ransomware attack without paying.","🏥 Nearly 600,000 patients impacted by data breaches at three U.S. healthcare providers in IL & TX. Incidents involve network intrusions and email compromise, with one linked to the Insomnia ransomware group. #Healthcare #DataBreach #HIPAA","Three U.S. healthcare providers—North Texas Behavioral Health Authority, Southern Illinois Dermatology, and Saint Anthony Hospital—disclose data breaches affecting nearly 600,000 individuals.",[13,14,15],"Data Breach","Ransomware","Policy and Compliance","high",[18,21,23,26,29,32],{"name":19,"type":20},"North Texas Behavioral Health Authority","company",{"name":22,"type":20},"Southern Illinois Dermatology",{"name":24,"type":20,"url":25},"Saint Anthony Hospital","https://www.sahchicago.org/",{"name":27,"type":28},"Insomnia","threat_actor",{"name":30,"type":28,"url":31},"LockBit","https://attack.mitre.org/groups/G0115/",{"name":33,"type":34},"U.S. Department of Health and Human Services (HHS)","government_agency",[],[37,43],{"url":38,"title":39,"date":40,"friendly_name":41,"website":42},"https://www.securityweek.com/data-breaches-at-healthcare-organizations-in-illinois-and-texas-affect-600000/","Data Breaches at Healthcare Organizations in Illinois and Texas Affect 600000","2026-04-21","SecurityWeek","securityweek.com",{"url":44,"title":45,"date":40,"friendly_name":46,"website":47},"https://cybernews.com/news/three-us-healthcare-orgs-disclose-data-breaches/","Three US healthcare orgs disclose size of data breaches","Cybernews","cybernews.com",[49,52,55,58],{"datetime":50,"summary":51},"2025-02-01T00:00:00Z","Two employee email accounts at Saint Anthony Hospital are compromised.",{"datetime":53,"summary":54},"2025-10-13T00:00:00Z","Network intrusion begins at North Texas Behavioral Health Authority, lasting until Oct 15.",{"datetime":56,"summary":57},"2025-11-30T00:00:00Z","Southern Illinois Dermatology becomes aware of a cybersecurity incident on its network.",{"datetime":59,"summary":60},"2026-02-01T00:00:00Z","The Insomnia ransomware group lists Southern Illinois Dermatology on its leak site.",[62,66,70,74,78],{"id":63,"name":64,"tactic":65},"T1213","Data from Information Repositories","Collection",{"id":67,"name":68,"tactic":69},"T1566","Phishing","Initial Access",{"id":71,"name":72,"tactic":73},"T1567","Exfiltration Over Web Service","Exfiltration",{"id":75,"name":76,"tactic":77},"T1486","Data Encrypted for Impact","Impact",{"id":79,"name":80,"tactic":69},"T1078","Valid Accounts",[82,90,94,115],{"id":83,"name":84,"d3fend_techniques":85,"description":89},"M1032","Multi-factor Authentication",[86],{"id":87,"name":84,"url":88},"D3-MFA","https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication","Crucial for preventing email account takeovers and unauthorized remote access, which were vectors in these breaches.",{"id":91,"name":92,"description":93},"M1017","User Training","Regular security awareness training helps staff identify and report phishing attempts, a common initial access vector.",{"id":95,"name":96,"d3fend_techniques":97,"description":114},"M1041","Encrypt Sensitive Information",[98,102,106,110],{"id":99,"name":100,"url":101},"D3-DENCR","Disk Encryption","https://d3fend.mitre.org/technique/d3f:DiskEncryption",{"id":103,"name":104,"url":105},"D3-ET","Encrypted Tunnels","https://d3fend.mitre.org/technique/d3f:EncryptedTunnels",{"id":107,"name":108,"url":109},"D3-FE","File Encryption","https://d3fend.mitre.org/technique/d3f:FileEncryption",{"id":111,"name":112,"url":113},"D3-MENCR","Message Encryption","https://d3fend.mitre.org/technique/d3f:MessageEncryption","Encrypting patient data at rest on servers and databases can render it useless to attackers even if they manage to exfiltrate it.",{"id":116,"name":117,"d3fend_techniques":118,"description":131},"M1047","Audit",[119,123,127],{"id":120,"name":121,"url":122},"D3-DAM","Domain Account Monitoring","https://d3fend.mitre.org/technique/d3f:DomainAccountMonitoring",{"id":124,"name":125,"url":126},"D3-LAM","Local Account Monitoring","https://d3fend.mitre.org/technique/d3f:LocalAccountMonitoring",{"id":128,"name":129,"url":130},"D3-SFA","System File Analysis","https://d3fend.mitre.org/technique/d3f:SystemFileAnalysis","Comprehensive logging and monitoring of network access, file access, and email account activity is essential for early detection of breaches.",[133,139],{"technique_id":134,"technique_name":135,"url":136,"recommendation":137,"mitre_mitigation_id":138},"D3-UBA","User Behavior Analysis","https://d3fend.mitre.org/technique/d3f:UserBehaviorAnalysis","To detect incidents like the network intrusions at North Texas BHA and Southern Illinois Dermatology, healthcare organizations should deploy User and Entity Behavior Analytics (UEBA) solutions. These tools baseline normal user activity—such as which files they access, from where, and at what times. The system could have flagged the attacker's activity at North Texas BHA, which occurred over a specific 3-day period, as anomalous. For the Saint Anthony Hospital email compromise, a UEBA tool integrated with Microsoft 365 could have detected the impossible travel scenario (e.g., login from a new country), access to an unusually large number of mail items, or the creation of malicious inbox rules. By alerting security teams to these deviations from normal behavior, UEBA can provide early warning of a compromised account or an intruder moving laterally within the network, enabling faster response before a full-blown data breach occurs.","M1040",{"technique_id":140,"technique_name":141,"url":142,"recommendation":143,"mitre_mitigation_id":144},"D3-FR","File Restoration","https://d3fend.mitre.org/technique/d3f:FileRestoration","In the context of the Insomnia ransomware attack on Southern Illinois Dermatology, having a robust file restoration capability is the most critical component of resilience. This goes beyond simple backups. Healthcare organizations must adhere to the 3-2-1 backup rule: three copies of data, on two different media types, with one copy stored offline and immutable (air-gapped). The offline, immutable copy is the key defense against ransomware that actively targets and encrypts connected backups. Restoration procedures must be tested regularly to ensure they are effective and to meet recovery time objectives (RTOs). Had Southern Illinois Dermatology been able to quickly restore their systems from immutable backups, the operational impact of the encryption would have been minimized, reducing the pressure to pay the ransom. While this doesn't prevent the data exfiltration aspect of the double-extortion attack, it ensures continuity of patient care and business operations.","M1053",[],[147,153,158,163],{"type":148,"value":149,"description":150,"context":151,"confidence":152},"log_source","VPN/Remote Access Logs","Look for logins from unusual geographic locations, multiple failed attempts followed by success, or logins outside of normal business hours.","SIEM, remote access solution logs.","medium",{"type":154,"value":155,"description":156,"context":157,"confidence":152},"network_traffic_pattern","Large data transfers from internal file servers to external IP addresses.","This could indicate data staging and exfiltration prior to a ransomware attack. Establish a baseline and alert on significant deviations.","NetFlow analysis, Firewall logs, DLP solutions.",{"type":159,"value":160,"description":161,"context":162,"confidence":16},"command_line_pattern","New-InboxRule","In Exchange/M365 logs, this PowerShell command can detect attackers creating malicious forwarding rules in compromised mailboxes to exfiltrate data.","Microsoft 365 audit logs, PowerShell logging.",{"type":159,"value":164,"description":165,"context":166,"confidence":16},"vssadmin.exe delete shadows","A common precursor to ransomware deployment, aimed at preventing easy recovery by deleting volume shadow copies.","EDR, Windows Event ID 4688 with command line logging.",[168,169,170,171,27,30,172,173],"healthcare","data breach","HIPAA","ransomware","PII","PHI","2026-04-21T15:00:00.000Z","NewsArticle",{"geographic_scope":177,"countries_affected":178,"industries_affected":180,"other_affected":182,"people_affected_estimate":184},"national",[179],"United States",[181],"Healthcare",[183],"patients","nearly 600,000",6,1776792971607]