Saint Anthony Hospital email breach grows to 146k victims after review

A February 2025 employee email compromise at a Chicago community hospital took more than a year to scope fully, with the final patient count coming in 22 times higher than the figure first reported to federal regulators.

What happened

Saint Anthony Hospital, a nonprofit community hospital in Chicago, has notified 146,108 individuals of a data breach stemming from unauthorized access to employee email accounts first detected on February 6, 2025. According to SecurityWeek, two employee email accounts were compromised, exposing patients' personal and protected health information (PHI). The hospital initially reported the breach to the HHS Office for Civil Rights in September 2025, estimating that 6,679 individuals were affected. The third-party specialists engaged to review the affected files did not complete their review until February 13, 2026, and notification letters began being mailed on March 6, 2026, after contact information was verified. The final HHS breach portal figure of 146,108 represents a count more than 22 times the initial estimate. Compromised data includes names, addresses, dates of birth, Social Security numbers, medical record numbers, patient account numbers, prescription information, and medical histories.

Going deeper

The breach involved unauthorized access to unstructured data within employee email accounts rather than the hospital's electronic medical records system, which the hospital confirmed was not affected. Unstructured data in email environments is among the most difficult to scope in a breach investigation because it requires manual or semi-automated review of individual messages and attachments rather than querying a structured database. According to the hospital's own breach notice, the investigation was conducted with the support of third-party cybersecurity professionals, and law enforcement was notified. The gap between the February 2025 incident and the March 2026 notification letters reflects the time required to identify every affected individual within a large volume of unindexed email data. Saint Anthony Hospital had previously been listed on the LockBit ransomware group's leak site in January 2024, though SecurityWeek noted that the incident does not appear to be related to the current breach.

What was said

In its substitute breach notification, Saint Anthony Hospital stated that on or about February 6, 2025, it "learned that an unauthorized party may have obtained access to a limited number of Saint Anthony Hospital employee email accounts," and that it "immediately began efforts to remediate the incident and commenced a prompt and thorough investigation." The hospital stated it has been "working very closely with third-party cybersecurity professionals experienced in handling these types of incidents to determine the nature and scope of the incident." The hospital added that it has no evidence of actual or attempted misuse of the exposed data.

In the know

Saint Anthony Hospital is a safety-net hospital serving a predominantly low-income, Latino community on Chicago's southwest side. According to CBS Chicago, the hospital provides care across a wide service area, and the breach affects patients whose information passed through employee email accounts during the access window. Safety-net hospitals operate under tighter resource constraints than larger health systems, often limiting the dedicated forensic and legal capacity needed to conduct and conclude breach investigations at pace. The 13-month gap between the February 2025 incident and the March 2026 notification letters reflects that constraint directly.

The big picture

The Saint Anthony breach indicates a pattern Paubox has documented consistently in HHS data: the initial breach count reported to OCR rarely reflects the final scope. Placeholder estimates and ongoing file reviews are standard in email breach investigations, but the larger the volume of unstructured email data involved, the wider the gap between the first estimate and the confirmed count. According to Paubox's Top 3 Healthcare Email Attacks report, phishing-driven mailbox takeovers exposed 630,000 individuals across healthcare in 2025, with credential-based account access accounting for the largest share of exposed patient data among email breach types. When attackers access employee email accounts as authenticated users, they move through inboxes without triggering security alerts, and the absence of any anomalous system behavior means the exposure window often extends well beyond the initial detection date.

FAQs

Why was the initial breach estimate so much lower than the final count?

The hospital initially filed with HHS using a placeholder estimate while its file review was ongoing. Scoping a breach involving unstructured email data requires reviewing individual messages and attachments, a process that takes significantly longer than querying a structured database. The final count is confirmed only after every affected file has been individually assessed.

What is unstructured data, and why does it complicate breach investigations?

Unstructured data refers to information stored in formats that are not organized in predefined fields, such as email messages, attachments, scanned documents, and free-text notes. Unlike a database record, each item must be individually reviewed to determine whether it contains PHI and whose information it involves, which is why file reviews in email breaches can take months.

Does the 13-month notification timeline create HIPAA exposure for the hospital?

HIPAA requires notification within 60 days of discovering a breach. Where the scope of a breach remains under active investigation, OCR has accepted extended timelines when organizations can demonstrate ongoing good-faith efforts to complete the review. The hospital's engagement of third-party specialists and law enforcement would support that position, though OCR ultimately determines whether the timeline was reasonable.

Why do employee email accounts contain so much sensitive patient data?

Clinical and administrative workflows in healthcare rely heavily on email for referrals, lab results, insurance authorizations, billing communications, and care coordination. Each of those workflows routinely involves PHI, meaning compromised employee accounts can contain years of sensitive patient information across thousands of messages.

What control would have limited the scope of this breach?

Restricting the volume of PHI transmitted through unencrypted or unmonitored email, applying data loss prevention controls that flag messages containing Social Security numbers or medical record identifiers, and limiting the retention period for PHI in email accounts all reduce the volume of data exposed when an account is compromised.