Chicago's St. Anthony Hospital Discloses Data Breach Affecting Over 6,600

St. Anthony Hospital Announces Data Breach Exposing PII and PHI of Over 6,600 Individuals

MEDIUM
November 19, 2025
6m read
Data BreachPhishingIndustrial Control Systems

Impact Scope

People Affected

6,600+

Industries Affected

Healthcare

Geographic Impact

United States (local)

Related Entities

Other

St. Anthony Hospital

MITRE ATT&CK Techniques

T1566Initial Access

Phishing

T1078Defense Evasion

Valid Accounts

T1114.001Collection

Local Email Collection

Full Report

Executive Summary

St. Anthony Hospital, a healthcare provider in Chicago, has announced a data breach that potentially exposed the sensitive information of over 6,600 patients and employees. The hospital became aware in February 2025 that an unauthorized party had gained access to employee email accounts. A subsequent investigation, conducted with third-party cybersecurity experts, confirmed that these accounts contained a mix of Personally Identifiable Information (PII) and Protected Health Information (PHI). Exposed data may include names, Social Security numbers, addresses, and detailed medical information. The hospital is now notifying affected individuals.

Threat Overview

  • Victim: St. Anthony Hospital (Chicago) and its patients/staff.
  • Attack Vector: The initial vector is implied to be a phishing attack or similar method that resulted in the compromise of employee email account credentials (T1566 - Phishing).
  • Actions on Objectives: The threat actor gained access to multiple employee mailboxes (T1114.001 - Local Email Collection) to search for and exfiltrate sensitive data. The goal is typically to gather data for identity theft, insurance fraud, or to sell on dark web forums.

Technical Analysis

The attack pattern is characteristic of a Business Email Compromise (BEC) style attack focused on data theft rather than financial fraud.

  1. Credential Compromise: The attacker likely used a phishing campaign to steal the login credentials for one or more hospital employee email accounts.
  2. Unauthorized Access: Using the stolen credentials, the attacker logged into the Microsoft 365 or Google Workspace accounts of the employees (T1078 - Valid Accounts).
  3. Data Mining: The attacker then systematically searched the compromised mailboxes for sensitive information. They would look for keywords like "SSN," "password," "invoice," or search for documents containing patient records and financial data.
  4. Exfiltration: Data was likely exfiltrated by forwarding emails to an external account, downloading attachments, or using automated tools to scrape the mailboxes.

This type of attack highlights the significant risk posed by unstructured data stored in email accounts. Mailboxes often become de facto filing cabinets for vast amounts of sensitive information, making them a high-value target for attackers.

Impact Assessment

  • Data Exposure: The breach exposed highly sensitive PII and PHI for 6,600 individuals, including:
    • Names, addresses, dates of birth
    • Social Security numbers
    • Medical record and patient account numbers
    • Prescription information and medical histories
  • Risk of Fraud: This data is a complete package for identity theft, medical fraud, and highly targeted phishing attacks. Victims are at high risk of fraudulent medical claims being filed in their name or having their identities stolen for financial gain.
  • Regulatory Scrutiny: As a healthcare provider, St. Anthony Hospital will face scrutiny under the Health Insurance Portability and Accountability Act (HIPAA). The breach will likely trigger an investigation by the HHS Office for Civil Rights and could result in significant fines.
  • Patient Trust: Breaches involving sensitive medical data can severely damage patient trust in the institution.

Cyber Observables for Detection

To detect similar email account compromises, organizations should monitor for:

Type Value Description
log_source Microsoft 365 / Google Workspace Audit Logs These logs contain detailed information on user logins, IP addresses, email activity, and rule creation.
user_account_pattern Anomalous email forwarding rules Attackers often create rules to auto-forward all incoming mail to an external account. This is a classic indicator of compromise.
log_source Cloud App Security (CASB) Logs A CASB can detect and alert on impossible travel, suspicious inbox rule creation, and massive file downloads from cloud email services.
event_id Logon from suspicious IP A login from an IP address associated with a VPN, Tor, or a country where the employee does not operate is a major red flag.

Detection & Response

  • Monitor Email Audit Logs: Actively monitor cloud email audit logs for suspicious activities. Key events to alert on include logins from unusual locations, creation of inbox forwarding rules, and unusually high volumes of email read or downloaded activity. D3FEND's D3-DAM - Domain Account Monitoring is essential.
  • User and Entity Behavior Analytics (UEBA): Implement UEBA to baseline normal user behavior within cloud environments and automatically flag anomalous activities that could indicate a compromised account.
  • Rapid Account Lockout: Upon detection of suspicious activity, the security team's first step should be to force a password reset and terminate all active sessions for the compromised account to evict the attacker.

Mitigation

  1. Multi-Factor Authentication (MFA): Enforce MFA on all email accounts. This is the single most effective control for preventing account takeovers resulting from stolen passwords. This is a direct application of D3FEND's D3-MFA - Multi-factor Authentication.
  2. User Training: Conduct regular, mandatory security awareness training that teaches employees how to identify and report phishing emails. This is a key part of M1017 - User Training.
  3. Data Loss Prevention (DLP): Implement DLP policies to detect and block the transmission of sensitive data (like SSNs and medical record numbers) via email. This can prevent exfiltration even if an account is compromised.
  4. Email Retention Policies: Enforce strict email retention policies to reduce the amount of historical sensitive data stored in user mailboxes, thus minimizing the impact of a potential breach.

Timeline of Events

1
February 1, 2025
St. Anthony Hospital learns that an unauthorized party may have gained access to employee email accounts.
2
November 19, 2025
The hospital publicly announces the data breach.
3
November 19, 2025
This article was published

MITRE ATT&CK Mitigations

Multi-factor Authentication

M1032enterprise

Enforcing MFA on all email accounts is the most effective control against credential theft-based takeovers.

Mapped D3FEND Techniques:

D3-MFA

User Training

M1017enterprise

Training users to spot and report phishing emails can prevent the initial compromise.

Audit

M1047enterprise

Comprehensive auditing of email account activity can provide early detection of a compromise.

Mapped D3FEND Techniques:

D3-DAMD3-LAMD3-SFA

D3FEND Defensive Countermeasures

Account Locking

D3-ALMaps to MITREM1036
D3FEND

In response to an email compromise like the one at St. Anthony Hospital, Account Locking is a critical and immediate response action. Security teams must have a playbook that, upon receiving a credible alert of account takeover (e.g., impossible travel login, suspicious inbox rule), automatically or immediately triggers the locking of the affected user account. This action evicts the attacker and prevents further data access or exfiltration. The process should involve disabling the account, terminating all active sessions across all services, and forcing a password reset. This rapid containment is crucial to minimizing the 'blast radius' of the breach and limiting the amount of data an attacker can steal from a compromised mailbox.

Web Session Activity Analysis

D3-WSAAMaps to MITREM1040
D3FEND

To detect an attacker operating within a compromised email account, Web Session Activity Analysis is key. This involves using a Cloud Access Security Broker (CASB) or advanced SIEM rules to analyze user activity within Office 365 or Google Workspace. Security teams should configure alerts for high-risk activities such as the creation of a new email forwarding rule, a sudden spike in file downloads, or an unusually high number of emails being read or deleted. By baselining normal user behavior, the system can flag these actions as anomalous for the specific user, even if the login itself appeared legitimate (e.g., from a domestic proxy). This provides a vital detection layer inside the perimeter, catching the attacker's data collection activities in progress.

Sources & References

Data breach at St. Anthony Hospital might have exposed personal information of more than 6,600 patients and staff
CBS Chicago (cbsnews.com) November 19, 2025
The Week in Breach News: November 19, 2025
Kaseya (kaseya.com) November 19, 2025

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

Data BreachHealthcareSt. Anthony HospitalPhishingPIIPHIHIPAA

📢 Share This Article

Help others stay informed about cybersecurity threats

Continue Reading

Previous All Next