Malware Attack Exposes IL Health Centers’ Patient and Staff PHI

Several Illinois healthcare, nursing and rehabilitation centers are feeling the impact of a malware attack that exposed both staff and patients’ protected health information (PHI.) 

Dynamic Health Care, Inc. (DHC) of Illinois issued a data incident notice on July 16, notifying its patients and staff of “a recent event that may affect the privacy of information of certain nursing care facility patients and employees for whom it provides consulting, administrative, and back-office services, including Woodbridge Nursing Pavilion, Waterfront Terrace, Bridgeview Health Care Center, Willow Crest Nursing Pavilion, Ottawa Pavilion, and River North of Bradley Health & Rehabilitation Center,” the notice states. 

DHC found malware on its computer systems on November 8, 2020, according to the statement.  

“DHC immediately commenced an investigation to determine the full nature and scope of the incident and to secure its network,” the notice states. “Through this investigation, DHC determined that in connection with the malware event, an unauthorized actor accessed certain systems within its network on or about November 8, 2020.” 

“On or about January 7, 2021, DHC determined the unauthorized actor may have accessed or acquired information regarding certain nursing care facility residents and employees located within these systems,” the notice continues. “DHC has worked since this time to identify the individuals who may be impacted, the types of information at issue, and the best contact information for those who may be impacted by the event, in order to provide an accurate notification.” 

The review of DHC’s systems showed sensitive information was present in the impacted systems and an unauthorized actor could have accessed or acquired that information, according to the notice. 

The breached data includes patients’ and/or staff members’ names, dates of birth, Social Security numbers, treating nursing care facility names, and may include a resident identification number and dates of admission and/or discharge, the notice states.  

Currently, DHC is mailing notice letters to any impacted individuals. Those individuals who have not received letters and want to know if they were impacted by the data breach, or have questions, can call DHC’s dedicated assistance line at 866-416-6781 between the hours of 8:00 am and 8:00 pm, CT, Monday through Friday. 

DHC said it is boosting its cybersecurity as a response to the malware attack.  

“DHC has strict security measures to protect the information in its possession and has worked to add further technical safeguards to its environment,” the notice states. “Following this incident, DHC took immediate steps to improve the security of its environment and increase its security posture. DHC is also implementing additional training and education to its employees to prevent similar future incidents.”