Months after hackers slipped into the computer systems at Bronzeville’s Insight Hospital and Medical Center, patients are only now being warned their most sensitive information may have been exposed. The Chicago nonprofit says its network was breached between August 22 and September 11, 2025, and that both personal and treatment-related records could have been accessed. Officials are urging older residents and people on fixed incomes in the neighborhood to be especially cautious.
What the hospital says
In a public notice, Insight Hospital and Medical Center said it detected “unusual activity” on its systems in September 2025 and quickly brought in cybersecurity specialists to dig into what happened. According to the notice, the information that may have been involved includes names, Social Security numbers, driver’s license or passport numbers, financial account details, and treatment-related data such as health insurance information.
Council member Alexander Perez told CBS Chicago he was alarmed that patients are learning about the breach months after the fact, noting many of his constituents are elderly or living on fixed incomes. Perez argued that late notification shrinks the window for people to take proactive steps to protect themselves.
Cybersecurity expert Scott Schober echoed those concerns in comments to CBS Chicago. “If something is going to happen, that window when they used that compromised information is within a two-year time frame,” he said. Schober added that medical and financial details can be reused to file bogus insurance claims and that identity-theft monitoring is a sensible move for anyone who might be caught up in the breach.
Dark web claims and the investigation
While Insight works through its internal review, criminal gangs online are claiming they made off with far more than a few stray files. Security trackers and healthcare privacy outlets report that two groups, LockBit5 and another called Termite, later boasted of dumping alleged Insight data on the dark web. They claimed roughly 200 GB and 360 GB of stolen data, respectively, numbers that have not been independently verified, according to HIPAA Journal. The outlet also notes that Insight has not publicly acknowledged either group’s claims.
What patients can do
For patients, the immediate question is less who did it and more what to do now. In its notice, Insight Hospital and Medical Center lays out several steps it says potentially affected individuals should consider:
- Carefully review bank, credit card, and health insurance statements for charges you do not recognize.
- Obtain a free copy of your credit report at AnnualCreditReport.com.
- Place a fraud alert or a security freeze with the major credit bureaus.
- Report any suspicious activity to the Federal Trade Commission or your state attorney general.
The hospital says it will mail formal notices to all individuals whose information “could have been involved” once its review is finished.
Cybersecurity observers point out that healthcare systems remain prime targets for hackers because medical and identity records are hard, if not impossible, to change, and smaller providers often face steeper costs to recover from attacks. For now, Insight’s investigation is still underway, and patients are being told to watch their mail, keep an eye on their accounts, and follow the recommended steps to reduce the risk of identity theft.
