The University of Chicago Medical Center (UCMC) is committed to protecting the confidentiality and security of personal information. This notice is being posted because UCMC was recently the victim of an email security incident that may have resulted in unauthorized access to certain personal information. At this time, UCMC is not aware of any misuse of the personal information potentially affected by this incident.

Was I affected by this incident?

UCMC is providing separate written notification to affected individuals for whom we have mailing addresses. We are posting this notice for those affected individuals for whom we do not have mailing addresses. Ordinarily, if you were a patient at UCMC, we have your last known address.

What happened?

From January 4, 2024, to January 30, 2024, there was unauthorized access to the email accounts of a small number of UCMC workers. Upon learning of this incident on January 6, 2024, we took steps to terminate the unauthorized access and secure the affected email accounts. We also promptly began an investigation into the incident, with assistance from a leading cybersecurity firm and performed an analysis of the impacted email accounts. On March 28, 2024, we determined that personal information was available in at least one of the affected email accounts.

What information was involved?

The impacted UCMC workers’ email accounts contained the following types of personal information about the affected individuals, but not all of these were present for each individual: first and last name; date of birth; Social Security number; tax identification number; IRS PIN number; passport number; driver’s license or state issued identification number; military identification number; non-U.S. national identification number; account number; routing number; financial institution name; credit or debit card number and security code or PIN; access information, such as access credentials, security questions and answers, and digital signatures; health information, such as information about diagnoses and treatment, prescriptions, provider name, medical record number, patient identification number, or hospital account record number; health insurance information, such as Medicare or Medicaid number or health insurance subscriber number. The individuals whose information was affected by this incident included UCMC patients and their family members and others who received services from us.

What We Are Doing

We have implemented additional security measures to prevent the occurrence of a similar event in the future. For example, we have enhanced our threat monitoring and detection processes. We are also providing ongoing training to our employees on the importance of email security.

What You Can Do

We encourage you to remain vigilant for threats of fraud and identity theft by regularly reviewing your account statements and credit reports. We also encourage you to read account statements from your healthcare providers, explanations of benefits from your health plan, and other documents related to medical services to make sure they do not include services you did not receive.

For More Information

If you have any questions or concerns, contact us toll-free by calling 1-833-918-4065 Monday through Friday from 8am to 8pm Central Time (excluding major U.S. holidays) and reference engagement number B123133.