Data Breaches at Healthcare Organizations in Illinois and Texas Affect 600,000

What happened

Three US healthcare organizations disclosed data breaches this week after the Department of Health and Human Services updated its breach tracker with incidents affecting a combined total of nearly 600,000 individuals.

The largest breach involves North Texas Behavioral Health Authority, which serves populations seeking mental health and substance abuse resources. The organization disclosed in March 2026 that it detected a network intrusion in October 2025, with an investigation confirming that unauthorized individuals may have accessed and exfiltrated files containing personal information including Social Security numbers. The incident affects 285,000 individuals.

Southern Illinois Dermatology, based in Salem, Illinois, disclosed that a cybersecurity incident detected in late November 2025 resulted in the compromise of files storing personal information, affecting 160,000 individuals. The Insomnia ransomware group claimed responsibility in February, asserting it stole data belonging to 150,000 patients and has since leaked the allegedly stolen data publicly.

Saint Anthony Hospital in Chicago disclosed that two employee email accounts were compromised in February 2025, exposing the personal and health information of 146,000 patients. The hospital has previously been targeted by LockBit, which listed the organization on its leak site in January 2024, though that incident appears unrelated to the current email compromise.

Who is affected

Nearly 600,000 patients across Texas and Illinois face exposure of sensitive personal and health information. The North Texas Behavioral Health Authority breach is particularly sensitive given the nature of the organization’s services, with Social Security numbers among the potentially exfiltrated data. Southern Illinois Dermatology patients face additional exposure risk as the Insomnia ransomware group has already publicly leaked the alleged stolen data.

Why CISOs should care

Three separate healthcare breaches disclosed in the same week, spanning network intrusion, ransomware exfiltration, and email account compromise, is a useful illustration of how many different entry points attackers use to reach the same category of high-value data. Healthcare organizations remain among the most targeted sectors precisely because the data they hold, mental health records, SSNs, patient histories, is both sensitive and monetizable.

The Southern Illinois Dermatology case also reinforces a pattern that security leaders should factor into breach response planning: ransomware groups are now routinely leaking data publicly regardless of whether a ransom is paid, removing the option of containment through non-disclosure.

3 practical actions

1. Prioritize email account security as a first-order control: The Saint Anthony Hospital breach stemmed from two compromised employee email accounts. Multi-factor authentication, anomalous login alerting, and regular access reviews on email accounts holding patient data are foundational controls that this incident confirms are still being missed.
2. Treat ransomware group leak site listings as a breach notification trigger: Southern Illinois Dermatology was listed on the Insomnia group’s site in February before the HHS disclosure. Organizations should monitor ransomware leak sites as part of their threat intelligence program and treat a listing as a presumptive breach requiring immediate investigation.
3. Review network detection and response coverage for dwell time reduction: The North Texas Behavioral Health Authority intrusion occurred in October 2025 but was not disclosed until March 2026. Reducing the gap between initial compromise and detection is critical in limiting the volume of data that can be exfiltrated during prolonged unauthorized access.

Also in the news today:

• Dozens of Malicious Crypto Apps Land in Apple App Store
• New Lotus Data Wiper Used Against Venezuelan Energy and Utility Firms
• Italian Regulator Fines National Postal Service Organizations $15 Million for Data Privacy Violations
• Unsecured Perforce Servers Expose Sensitive Data From Major Organizations
• NGate Campaign Targets Brazil, Trojanizes HandyPay to Steal NFC Data and PINs
• Ransomware Negotiator Pleads Guilty to Aiding BlackCat Attacks in 2023