Active breach tracker Herrin, IL Disclosed April 2, 2026

Southern Illinois Dermatology Data Breach 2026 (Insomnia Group): 160,312 Patients Across 13 Clinics. Data Leaked Publicly. No Credit Monitoring Offered. What To Do

Southern Illinois Dermatology disclosed in April 2026 a November 2025 network intrusion by the Insomnia data-theft extortion group. 160,312 patients across 13 rural Illinois clinics had names, Social Security numbers, dates of birth, and medical record numbers exposed. The Insomnia group publicly leaked sample data on its dark web site two months before the practice notified patients. No credit monitoring was offered. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Nov 28, 2025

Cyber incident identified; third-party forensics engaged

Nov 28, 2025

Attacker gained access

Feb 7, 2026

Insomnia group posts claim and sample data on leak site

Mar 4, 2026

Forensic review confirms PII/PHI involvement

Apr 2, 2026

Notification letters mailed; HHS OCR filing; website notice

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number

02

Health records

Don't expire and can't be reissued

Medical record number

03

Contact & insurance

Phishing + targeted scams

Full name Home address Phone number Email address Person number / patient identifier

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Edelson Lechtzin Schubert Jonckheer & Kolbe Shamis & Gentile Levi & Korsinsky Barnow Law
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

Southern Illinois Dermatology is a single-owner private dermatology practice founded in 1996 by Dr. Ted G. VanAcker. Over roughly 30 years it has grown to 13 clinic locations across rural Southern Illinois, headquartered in Herrin. It describes itself as the only single-owner dermatology practice serving the region.

On November 28, 2025, SID identified a cybersecurity incident inside its network. The practice engaged a third-party forensic firm to investigate. The forensic review took several months. On March 4, 2026, the review concluded that the compromised files contained personally identifiable information and protected health information. SID mailed individual notification letters and filed with the US Department of Health and Human Services Office for Civil Rights on April 2, 2026, confirming 160,312 affected individuals.

Two months before patients were notified, on February 7, 2026, a data-theft extortion group calling itself Insomnia claimed responsibility on its dark web leak site and posted sample documents from the breach as proof. Insomnia operates a “leak first, encrypt nothing” extortion model — it exfiltrates data, threatens publication, and follows through when payment is not received. The Insomnia leak listing remains live as of mid-May 2026.

The roughly 125-day gap between detection and notification well exceeds HIPAA’s 60-day Breach Notification Rule clock and has been flagged by every plaintiffs’ firm now investigating. Worse, the public Insomnia posting on February 7 meant the data was already circulating on the dark web for nearly two months before SID’s patients received any notice.

What was stolen

The compromised data included:

  • Full name
  • Home address
  • Date of birth
  • Social Security number
  • Phone number
  • Email address
  • “Person number” / patient identifier
  • Medical record number

SID’s notice does not specify whether clinical detail (diagnoses, dermatologic biopsy results, treatment notes) was in the exfiltrated dataset. Given the Insomnia leak-site sample posting and the breadth of practice-management software they likely accessed, treatment-history data is plausibly in scope even though not explicitly confirmed.

Who is affected (13 SID clinic locations)

SID operates clinics in the following Southern Illinois cities. If you have received dermatology care, biopsies, skin-cancer screening, or cosmetic procedures at any of these locations, you may be affected:

  • Anna
  • Carbondale
  • Centralia
  • Du Quoin
  • Harrisburg
  • Herrin (HQ — 220 N Park Avenue, Suite 2)
  • Mt. Vernon
  • Murphysboro
  • Red Bud
  • Salem
  • Steeleville
  • Vandalia
  • West Frankfort

What SID is offering

No credit monitoring or identity-theft protection services were offered, despite Social Security numbers being exposed. This is a material departure from standard healthcare breach response and from what individuals in similar breaches (TriZetto, QualDerm, OpenLoop) received. The mailed letter directs recipients only to free fraud-alert and credit-freeze procedures at Equifax, Experian, and TransUnion.

  • SID dedicated response line: 1-833-997-6029 (Monday to Friday, 8 a.m. to 8 p.m. Eastern)

The absence of credit monitoring is the most notable feature of this breach response and the primary point raised by plaintiffs’ firms publicly investigating.

What to do if you received a notification letter

This week:

  1. Place free credit freezes at all three bureaus (Equifax, Experian, TransUnion). With full SSN exposed, this is essential and SID is not providing monitoring.
  2. Pull a free credit report from each bureau at annualcreditreport.com.
  3. File IRS Form 14039 to prevent fraudulent tax return filings under your SSN.
  4. Consider purchasing your own credit monitoring through a third-party service since SID is not providing one. The breach exposure profile (SSN plus medical record number plus contact info) is comparable to breaches where 12 to 24 months of monitoring is industry standard.
  5. Review Explanation of Benefits (EOB) statements from your health insurer for unfamiliar dermatology or related-specialty claims.

This month:

  1. Stop the ongoing flow of your health data. HealthConsent files HIPAA restriction requests, data-broker deletion requests, and state-law deletion requests so the demographic and medical-record-context information exposed in this breach is not continuously re-shared by downstream entities. Because Insomnia publicly posted sample data, your record is already in the wild and the ongoing-flow problem is more serious than for an unpublished breach.
  2. Document your out-of-pocket losses. Several plaintiffs’ firms are investigating the lack of credit monitoring as a separate harm. If a class action is filed and settles, recipients with documented losses may recover more than those without.

Frequently asked questions

Why is no credit monitoring offered?

SID’s public notice does not explain the decision. Given that Social Security numbers were exposed, the absence of credit monitoring is a material departure from healthcare-breach norms. It will likely be a central issue in any class action that follows.

Was my data published online?

Sample data was. On February 7, 2026, the Insomnia group posted documents on its dark web leak site as proof of the breach. The full dataset may or may not have been published since. SID has not publicly addressed the Insomnia posting.

What is Insomnia?

Insomnia is a data-theft extortion operation that emerged in 2025. Unlike traditional ransomware groups that encrypt systems and demand payment for decryption, Insomnia exfiltrates data and threatens publication. If the target does not pay, the data goes up on Insomnia’s dark web site. Insomnia has been linked to multiple healthcare data breaches in 2025 and 2026.

Should I sue?

Four plaintiffs’ firms (Edelson Lechtzin, Schubert Jonckheer & Kolbe, Shamis & Gentile, Levi & Korsinsky) have publicly announced investigations. ClassAction.org’s panel reviewed and passed on filing. No class action complaint has been filed as of mid-May 2026, but the absence of credit monitoring plus the 125-day notification gap creates an aggressive plaintiffs’ theory. We are not a law firm and cannot give legal advice.

Is HealthConsent affiliated with SID?

No. HealthConsent is an independent health-data privacy service.

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.