You are here

Notice of Security Incident at Sinai Health System

On October 2, 2017, Sinai Health System (SHS) experienced a “phishing” incident. Specifically, an unknown third party was able to obtain the network credentials (usernames and passwords) of certain SHS employees as a result of a “phishing” email. 

Following this incident, SHS conducted a thorough investigation, working with nationally-recognized forensic information technology and data discovery experts. Based on the investigation to date, we have concluded that two employee email accounts were compromised, potentially affecting approximately 11,350 individuals.  We cannot confirm whether any patient health information in those accounts was actually viewed, downloaded or forwarded. While we believe that the risk of exposure of patient health information is low, in the interest of protecting our patients, we are mailing notices to potentially affected patients informing them of this incident.  We are also providing this website notice because we anticipate that certain patients may have moved or may not be reachable by mail.   

If you believe you may have been impacted, have questions regarding this incident or if you are contacted regarding your care or accounts at SHS in a manner which is unusual or unexpected, please call the following toll free number: 1-855-260-2768, Monday through Saturday, 8 a.m. – 8 p.m. Central Time. Assistance is available in both English and Spanish and at no charge to patients.

Our investigation does not show that any financial information was compromised that would pose a risk to credit card or bank accounts. However, to provide additional protection to patients, we have partnered with AllClear ID to offer credit monitoring services for 12 months at no charge to individuals potentially affected by this incident.  For questions about AllClear ID’s services, please call 1-855-260-2768.  

SHS took action to secure email accounts and patient information immediately after learning of the incident.  Among other things, the SHS Information Technology (IT) team deleted all copies of the phishing email to prevent further exposure, provided all system users with a warning about the phishing email involved in this incident and changed the passwords of all SHS system users.  The IT team also implemented a new warning, posted at the top of every email that originates from outside the SHS system, advising users not to click on any link or attachment unless the user recognizes the sender and knows the content is safe. The IT team provided additional instructions regarding system security to all users and is currently reviewing further system security enhancements to help us prevent future incidents.

SHS remains extremely committed to protecting our patients’ privacy and safeguarding all personal health and financial information we maintain.  We sincerely apologize for any inconvenience this situation may cause our patients and are dedicated to continued investment in improvements to protect our patients and deter malicious cybercrime.