Strauss Borrelli PLLC, a leading data breach law firm, is investigating Loretto Hospital regarding its recent data breach. The Loretto Hospital data breach involved sensitive personal information and protected health information belonging to an undetermined number of individuals.
ABOUT LORETTO HOSPITAL:
Loretto Hospital is a 177-bed, not for profit, acute care hospital based in Illinois.2 Founded in 1923, Loretto Hospital serves more than 33,000 patients each year from across Chicago and its western suburbs.3,4 Today, Loretto Hospital offers a variety of healthcare services, including primary care, geriatric medicine, vision care, behavioral health services, women’s health, podiatric medicine, and dental services.3 Headquartered in Chicago, Illinois, Loretto Hospital employs over 600 individuals.
WHAT HAPPENED?
Recently, Loretto Hospital announced that it had experienced a data breach in which sensitive personal identifiable information in its care may have been accessed. According to the breach notice, Loretto Hospital recently became aware of suspicious activity involving its computer network.1 As a result, Loretto Hospital launched an investigation to determine the nature of the incident.
Through its investigation, Loretto Hospital confirmed that sensitive personal information in its systems may have been compromised by an unauthorized third party between January 17, 2025, and February 1, 2025. Additionally, certain data that was input into Loretto Hospital’s electronic medical record system between the evening of February 2, 2025, through the afternoon of February 3, 2025, was not saved.1 As a result, Loretto Hospital began a review of the data to determine what information had been impacted as well as identify the specific individuals affected. As of April 8, 2025, Loretto Hospital’s review of the impacted files is ongoing, and it has not yet revealed the specific types of information impacted. However, Loretto Hospital stated in its breach notice that, “…as an employer and healthcare provider we do store certain types of personal information on our systems.”, and, “…at the conclusion of the review, we will notify those who are potentially affected by this incident.”1 Additionally, according to state reporting guidelines, “personal information” can include the following types of information:
- Name
- Social Security number
- Driver’s license number or state identification card number
- Account number or credit or debit card number, or an account number or credit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account
- Medical information
- Health insurance information
- Unique biometric data, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data
- Username or email address, in combination with a password or security question and answer that would permit access to an online account
On April 4, 2025, Loretto Hospital posted a notice of the incident on its website. Additionally, Loretto Hospital plans to send breach notification letters to impacted individuals once its review of the compromised data is complete. Based on the website breach notice, Loretto Hospital is providing affected individuals with a list of the specific types of sensitive information impacted. A link to the form breach notification that Loretto Hospital posted to its website is below.
If you received a breach notification letter from Loretto Hospital:
We would like to speak with you about your rights and potential legal remedies in response to this data breach. Please fill out the form, below, or contact us at 872.263.1100 or sam@straussborrelli.com.
