Active breach tracker Chicago, IL Disclosed March 6, 2026

Saint Anthony Hospital Email Data Breach 2026 (Chicago): 146,108 Patients Exposed After Year-Long Forensic Review. No Credit Monitoring Offered. What To Do

Saint Anthony Hospital in Chicago disclosed in March 2026 that a February 2025 unauthorized access to two employee email accounts exposed Social Security numbers, medical record numbers, diagnoses, and prescription information for 146,108 patients. Final OCR count revised up from initial 6,679 estimate. No credit monitoring offered. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Feb 6, 2025

Unauthorized access to employee email accounts detected

Feb 6, 2025

Attacker gained access

Feb 27, 2025

Email access activity period concluded

Sep 12, 2025

Initial OCR filing at placeholder estimate (6,679)

Feb 13, 2026

Forensic review of email contents completed

Mar 6, 2026

Notification letters mailed; OCR submission revised to 146,108

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number

02

Health records

Don't expire and can't be reissued

Medical record number Diagnoses and conditions Treatment information Prescription information

03

Contact & insurance

Phishing + targeted scams

Full name Home address Phone number Date of service Patient account number Medical history

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Mason LLP (publicly investigating) Strauss Borrelli (publicly investigating) Migliaccio & Rathod (publicly investigating) The Lyon Firm (publicly investigating) Shamis & Gentile (publicly investigating) Console & Associates (publicly investigating)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

Saint Anthony Hospital is a 151-bed independent community hospital in Chicago’s Pilsen and Little Village neighborhoods. It is a non-profit safety-net hospital primarily serving Hispanic and Latino communities on Chicago’s near-southwest side. It is not affiliated with Advocate, Loyola, or other large Chicago hospital systems.

On February 6, 2025, Saint Anthony detected unauthorized access to two employee email accounts. The access activity continued through approximately February 27, 2025. The hospital engaged forensic investigators to determine what was in the affected mailboxes.

The forensic review took roughly a year. The initial OCR filing on September 12, 2025 estimated 6,679 affected individuals based on early review. After deeper review of unstructured email content (attachments, forwarded patient communications, billing correspondence), the count was substantially revised. On February 13, 2026, the review concluded; on March 6, 2026, the hospital filed an updated OCR report and mailed notification letters confirming 146,108 affected individuals — roughly 22 times the initial estimate.

The electronic health record (EHR) system was not affected. The exposure is limited to information contained in the two compromised email mailboxes. That information was unstructured: forwarded EOB attachments, billing correspondence, patient communications, prescription verification emails, and similar artifacts. The reason the affected count grew so substantially is that mailboxes can accumulate references to a very large number of patients over time, even though the EHR itself was never accessed.

No ransomware group has claimed responsibility. The intrusion pattern is consistent with business email compromise (BEC) or credential-phishing-driven mailbox takeover — the attacker likely obtained employee credentials and used them to access the mailboxes without deploying any encryption or extortion payload.

Note: this incident is separate from Saint Anthony Hospital’s prior December 2023 LockBit ransomware breach (360,220 individuals, settled in La’Que Burgin v. Saint Anthony Hospital, Cook County 2024CH00940, $1,350,285 class fund). That earlier settlement does not cover the 2026 email-breach class.

What was stolen

The compromised data in the two mailboxes included:

  • Full name
  • Home address
  • Phone number
  • Date of birth
  • Social Security number
  • Date of service
  • Medical record number
  • Patient account number
  • Medical history
  • Diagnoses and conditions
  • Treatment information
  • Prescription information

This is a substantively complete clinical profile for most affected patients, despite the EHR system itself not being directly accessed. Email tends to accumulate forwarded clinical content over time, so a long-running mailbox takeover effectively gives the attacker a slice of clinical data even when the EHR is untouched.

Who is affected

If you received care at Saint Anthony Hospital (151 N California Avenue, Chicago) between roughly 2018 and February 2025, your record may have appeared in one of the two compromised email mailboxes. Saint Anthony serves the Pilsen, Little Village, North Lawndale, and surrounding neighborhoods. The hospital does outreach and street-medicine work in Spanish-language and undocumented patient populations, which is relevant because some affected patients may be hesitant to engage with credit-bureau or law-enforcement processes for status-related reasons.

What Saint Anthony is offering

No complimentary credit monitoring or identity theft protection was offered, despite full Social Security numbers being exposed. The hospital’s notice directs recipients to free fraud-alert and credit-freeze procedures at Equifax, Experian, and TransUnion.

  • Saint Anthony dedicated hotline: 833-844-5403 (Monday to Friday, 8 a.m. to 8 p.m. Eastern)
  • Earlier hotline (Nov 2025 notice cycle): 877-580-4384

The absence of credit monitoring is the most significant feature of this breach response and the primary point of complaint from plaintiffs’ firms now investigating.

What to do if you received a notification letter

This week:

  1. Place free credit freezes at Equifax, Experian, and TransUnion. With full SSN exposed, this is essential and Saint Anthony is not providing monitoring.
  2. Pull a free credit report from each bureau at annualcreditreport.com.
  3. File IRS Form 14039 to prevent fraudulent tax-return filings under your SSN.
  4. Consider purchasing your own credit monitoring. With 146,000 records exposed including SSN, you may want 12 to 24 months of monitoring that Saint Anthony is not providing.
  5. Review your Explanation of Benefits statements for unfamiliar services, unfamiliar prescriptions, or unfamiliar providers.

This month:

  1. Stop the ongoing flow of your health data. HealthConsent files HIPAA restriction requests, FTC HBNR deletion requests, and state-law deletion requests so the demographic, prescription, and treatment data exposed in this breach is not continuously re-shared and sold by downstream entities. Because the dataset includes prescription information, the downstream-flow problem is especially relevant for pharmacy networks and prescription data brokers.
  2. If you are concerned about immigration status or sensitive diagnoses being misused: the exposed dataset does include enough identifying information to support targeted scams. Be skeptical of any unexpected outreach claiming to be from Saint Anthony Hospital, ICE, or related agencies.

Frequently asked questions

How did the count grow from 6,679 to 146,108?

The initial September 2025 OCR filing was based on an early estimate of how many patients were likely referenced in the two mailboxes. The full forensic review of the mailbox contents (attachments, threads, forwarded patient communications) found references to far more patients than the initial estimate suggested. This pattern is not unusual for email-breach reviews, which often grow substantially as forensic teams complete the unstructured-content review.

Was my full medical record taken?

Not directly. The EHR was not breached. What was in the email mailboxes was clinical content (attachments, billing items, prescription verifications, patient communications) that referenced your record. The data is real and sensitive, but it is a slice of clinical content rather than your complete EHR.

Why is no credit monitoring offered?

The hospital’s notice does not explain the decision. Given that full SSNs were exposed and the EHR was not the source of the breach, the absence of monitoring is a material departure from industry norms. It will likely be a central issue in any class action.

Should I sue?

Six plaintiffs’ firms have publicly announced investigations (Mason LLP, Strauss Borrelli, Migliaccio & Rathod, The Lyon Firm, Shamis & Gentile, Console & Associates). No class action complaint specific to the 2026 email breach has been filed as of mid-May 2026. Given the SSN exposure, the absence of credit monitoring, and the 13-month detection-to-notification gap, complaints are expected. The prior 2023 LockBit breach settlement does not cover this incident — you would need to be a separate class member here. We are not a law firm and cannot give legal advice.

Is HealthConsent affiliated with Saint Anthony Hospital?

No. HealthConsent is an independent health-data privacy service.

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.