St. Anthony Regional Hospital breach exposes patient data

Faith-based healthcare provider, St Anthony Regional Hospital, experienced a data breach that exposed personally identifiable information (PII) and protected health information (PHI) of current and former patients.

What happened

According to Claim Depot, St Anthony Regional Hospital discovered unauthorized access after detecting unusual system activity. An internal investigation, supported by third-party cybersecurity specialists, confirmed that unknown actors accessed or downloaded files containing sensitive personal and health information.

While the number of affected individuals has not been determined, notifications are continuing to be mailed to others across multiple states.

The types of information potentially exposed include:

• Full names and addresses
• Dates of birth
• Social Security numbers
• Driver’s license and other government ID numbers
• Payment card and financial account information
• Medical and billing data, including diagnosis and prescription details
• Biometric and patient identification numbers

Going deeper

After confirming the breach, St. Anthony Regional Hospital secured its network and launched a comprehensive investigation with cybersecurity experts. The hospital also notified federal law enforcement and relevant state attorneys general as part of regulatory reporting obligations. A dedicated call center has been established to assist those affected, and 24 months of free credit monitoring and identity theft protection services are being offered through TransUnion for impacted individuals.

What was said

In their breach notice, the hospital acknowledges the breach and notes that there is currently no evidence that the affected information has been used to commit identity theft or fraud. The breach also notes that the hospital has notified federal law enforcement and “potentially affected individuals via website and media notice.”

As a response to the breach, the hospital is reviewing its “policies, procedures, and processes to reduce the likelihood of a similar future event.” Additionally, they are encouraging affected individuals to “remain vigilant against incidents of identity theft by reviewing account statements, credit reports, and explanations of benefits for unusual activity and to detect errors.”

Why it matters

The St. Anthony Regional Hospital breach is not just another isolated incident. It is part of a broader, systemic vulnerability trend in healthcare cybersecurity that industry experts have repeatedly warned about.

Recently, Paubox reported a Wyandot Center breach in its network system that resulted in the exposure of PHI and PII of an undisclosed number of individuals. Additionally, Oglethorpe, Inc, also reported a breach in its network system affecting 92,332 individuals.

Together, these incidents illustrate a persistent pattern where healthcare organizations remain highly attractive targets to cybercriminals. Network intrusions, like those seen at St. Anthony, Wyandot Center, and Oglethorpe, can expose patients to long-term risks such as identity theft, medical fraud, and financial exploitation.

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQS

Why are healthcare organizations frequent targets for cyberattacks?

Healthcare entities store large volumes of highly sensitive data that are valuable to cybercriminals. Additionally, complex networks and legacy systems can increase exposure if not properly secured.

Could the exposed data be misused even years later?

Yes. Healthcare data has long-term value to cybercriminals because information such as Social Security numbers, medical histories, and insurance details cannot be easily changed.

What penalties can healthcare organizations face after a breach?

Organizations may face regulatory fines, class-action lawsuits, remediation costs, and reputational damage, especially if regulators find inadequate safeguards or delayed notification.