As patients in Chicago's hospital systems navigate the World Cup infectious disease preparedness posture, a parallel crisis in healthcare cybersecurity is producing harm of a different but equally serious kind: in 2024, healthcare data breaches exposed the records of more than 289 million individuals in the United States — equivalent to 85% of the entire U.S. population — in a single year.
That figure, documented by the HIPAA Journal's comprehensive 2026 breach statistics compilation, represents a 58% increase in affected individuals from 2023, which itself was up 193% from 2022. The number of individual large healthcare data breaches is increasing by single-digit percentages per year, but the number of affected individuals is exploding — because the breaches that are occurring are targeting the largest healthcare organizations and health insurance systems, extracting records at a scale previously unimagined.
Chicago's hospital landscape makes it specifically vulnerable to this trend. The city is home to the University of Chicago Medicine, Northwestern Medicine, Rush University Medical Center, Advocate Health, and the Cook County Health system — major academic and community health systems that collectively hold the electronic health records of millions of Illinois patients.
Several of Chicago's affiliated health systems and insurance partners were directly affected by the Change Healthcare cyberattack of February 2024, which exposed the records of approximately 100 million Americans — the single largest healthcare data breach in U.S. history — because Change Healthcare (a subsidiary of UnitedHealth Group) processed claims for a substantial fraction of the entire U.S. healthcare system. Many Chicago-area providers whose billing ran through Change Healthcare saw their patients' data exposed without any breach of their own systems.
What a Healthcare Data Breach Actually Means for Patients
The personal consequences of a healthcare data breach extend far beyond the inconvenience of a notification letter. Healthcare records are the most valuable category of personal information on black market data exchanges — worth ten to forty times more per record than financial account credentials — because they contain Social Security numbers, full date of birth, insurance identifiers, and detailed personal health histories that enable sophisticated identity theft. Medical identity theft — where stolen health records are used to fraudulently bill insurance for medical services, obtain prescription medications under another person's identity, or create false identities using health credentials — affects an estimated 2.3 million Americans annually and is dramatically more difficult to detect and resolve than financial identity theft.
For Chicago patients who are covered by major insurance carriers, including UnitedHealthcare, Blue Cross Blue Shield of Illinois, Cigna, and Humana — all carriers that have been affected by major data breaches since 2024 — the probability that their healthcare records have been exposed at some point in the past two years is non-trivially high. The HIPAA Journal's data shows that the average cost of a healthcare data breach to the organization that suffers it is $10.9 million — the highest of any industry for the 13th consecutive year. The cost to the individual patient, measured in damaged credit, fraudulent medical accounts, and the extraordinary hours required to remediate identity theft, is borne entirely by the victim.
What Chicago Patients Should Do Right Now
Any Chicago-area patient who has received a breach notification letter from a healthcare provider, insurer, or health-related organization in the past two years should immediately take several protective steps: Place a free credit freeze at all three major credit bureaus (Equifax, Experian, TransUnion) — a freeze prevents any new credit accounts from being opened in your name, even with correct Social Security and identity information.
Review your Explanation of Benefits statements from your insurer for any services you did not receive, which may indicate medical identity theft. Request a copy of your medical records summary from your primary care provider or major hospital — any unknown entries may indicate fraudulent service billing under your identity. Enroll in the identity monitoring service offered in your breach notification — most organizations provide at least 12 months free. File an FTC identity theft report at identitytheft.gov if you discover fraudulent activity.
The Illinois Attorney General's Identity Theft Hotline at 1-800-243-0618 provides free assistance to Illinois residents navigating healthcare identity theft resolution.
