Southern Illinois Dermatology Data Breach 2026 (Insomnia Group): 160,312 Patients Across 13 Clinics. Data Leaked Publicly. No Credit Monitoring Offered. What To Do
Southern Illinois Dermatology disclosed in April 2026 a November 2025 network intrusion by the Insomnia data-theft extortion group. 160,312 patients across 13 rural Illinois clinics had names, Social Security numbers, dates of birth, and medical record numbers exposed. The Insomnia group publicly leaked sample data on its dark web site two months before the practice notified patients. No credit monitoring was offered. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Nov 28, 2025
Cyber incident identified; third-party forensics engaged
Nov 28, 2025
Attacker gained access
Feb 7, 2026
Insomnia group posts claim and sample data on leak site
Mar 4, 2026
Forensic review confirms PII/PHI involvement
Apr 2, 2026
Notification letters mailed; HHS OCR filing; website notice
Nov 28, 2025
Cyber incident identified; third-party forensics engaged
Nov 28, 2025
Attacker gained access
Feb 7, 2026
Insomnia group posts claim and sample data on leak site
Mar 4, 2026
Forensic review confirms PII/PHI involvement
Apr 2, 2026
Notification letters mailed; HHS OCR filing; website notice
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
What happened
Southern Illinois Dermatology is a single-owner private dermatology practice founded in 1996 by Dr. Ted G. VanAcker. Over roughly 30 years it has grown to 13 clinic locations across rural Southern Illinois, headquartered in Herrin. It describes itself as the only single-owner dermatology practice serving the region.
On November 28, 2025, SID identified a cybersecurity incident inside its network. The practice engaged a third-party forensic firm to investigate. The forensic review took several months. On March 4, 2026, the review concluded that the compromised files contained personally identifiable information and protected health information. SID mailed individual notification letters and filed with the US Department of Health and Human Services Office for Civil Rights on April 2, 2026, confirming 160,312 affected individuals.
Two months before patients were notified, on February 7, 2026, a data-theft extortion group calling itself Insomnia claimed responsibility on its dark web leak site and posted sample documents from the breach as proof. Insomnia operates a “leak first, encrypt nothing” extortion model — it exfiltrates data, threatens publication, and follows through when payment is not received. The Insomnia leak listing remains live as of mid-May 2026.
The roughly 125-day gap between detection and notification well exceeds HIPAA’s 60-day Breach Notification Rule clock and has been flagged by every plaintiffs’ firm now investigating. Worse, the public Insomnia posting on February 7 meant the data was already circulating on the dark web for nearly two months before SID’s patients received any notice.
What was stolen
The compromised data included:
- Full name
- Home address
- Date of birth
- Social Security number
- Phone number
- Email address
- “Person number” / patient identifier
- Medical record number
SID’s notice does not specify whether clinical detail (diagnoses, dermatologic biopsy results, treatment notes) was in the exfiltrated dataset. Given the Insomnia leak-site sample posting and the breadth of practice-management software they likely accessed, treatment-history data is plausibly in scope even though not explicitly confirmed.
Who is affected (13 SID clinic locations)
SID operates clinics in the following Southern Illinois cities. If you have received dermatology care, biopsies, skin-cancer screening, or cosmetic procedures at any of these locations, you may be affected:
- Anna
- Carbondale
- Centralia
- Du Quoin
- Harrisburg
- Herrin (HQ — 220 N Park Avenue, Suite 2)
- Mt. Vernon
- Murphysboro
- Red Bud
- Salem
- Steeleville
- Vandalia
- West Frankfort
What SID is offering
No credit monitoring or identity-theft protection services were offered, despite Social Security numbers being exposed. This is a material departure from standard healthcare breach response and from what individuals in similar breaches (TriZetto, QualDerm, OpenLoop) received. The mailed letter directs recipients only to free fraud-alert and credit-freeze procedures at Equifax, Experian, and TransUnion.
- SID dedicated response line: 1-833-997-6029 (Monday to Friday, 8 a.m. to 8 p.m. Eastern)
The absence of credit monitoring is the most notable feature of this breach response and the primary point raised by plaintiffs’ firms publicly investigating.
What to do if you received a notification letter
This week:
- Place free credit freezes at all three bureaus (Equifax, Experian, TransUnion). With full SSN exposed, this is essential and SID is not providing monitoring.
- Pull a free credit report from each bureau at
annualcreditreport.com. - File IRS Form 14039 to prevent fraudulent tax return filings under your SSN.
- Consider purchasing your own credit monitoring through a third-party service since SID is not providing one. The breach exposure profile (SSN plus medical record number plus contact info) is comparable to breaches where 12 to 24 months of monitoring is industry standard.
- Review Explanation of Benefits (EOB) statements from your health insurer for unfamiliar dermatology or related-specialty claims.
This month:
- Stop the ongoing flow of your health data. HealthConsent files HIPAA restriction requests, data-broker deletion requests, and state-law deletion requests so the demographic and medical-record-context information exposed in this breach is not continuously re-shared by downstream entities. Because Insomnia publicly posted sample data, your record is already in the wild and the ongoing-flow problem is more serious than for an unpublished breach.
- Document your out-of-pocket losses. Several plaintiffs’ firms are investigating the lack of credit monitoring as a separate harm. If a class action is filed and settles, recipients with documented losses may recover more than those without.
Frequently asked questions
Why is no credit monitoring offered?
SID’s public notice does not explain the decision. Given that Social Security numbers were exposed, the absence of credit monitoring is a material departure from healthcare-breach norms. It will likely be a central issue in any class action that follows.
Was my data published online?
Sample data was. On February 7, 2026, the Insomnia group posted documents on its dark web leak site as proof of the breach. The full dataset may or may not have been published since. SID has not publicly addressed the Insomnia posting.
What is Insomnia?
Insomnia is a data-theft extortion operation that emerged in 2025. Unlike traditional ransomware groups that encrypt systems and demand payment for decryption, Insomnia exfiltrates data and threatens publication. If the target does not pay, the data goes up on Insomnia’s dark web site. Insomnia has been linked to multiple healthcare data breaches in 2025 and 2026.
Should I sue?
Four plaintiffs’ firms (Edelson Lechtzin, Schubert Jonckheer & Kolbe, Shamis & Gentile, Levi & Korsinsky) have publicly announced investigations. ClassAction.org’s panel reviewed and passed on filing. No class action complaint has been filed as of mid-May 2026, but the absence of credit monitoring plus the 125-day notification gap creates an aggressive plaintiffs’ theory. We are not a law firm and cannot give legal advice.
Is HealthConsent affiliated with SID?
No. HealthConsent is an independent health-data privacy service.
Continue reading
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- Southern Illinois Dermatology: Notice of Data Security Incident
- Southern Illinois Dermatology Practice Information
- HIPAA Journal: Southern Illinois Dermatology Data Breach Coverage
- Comparitech: SID Breach Leaked SSNs (13 locations enumerated)
- SecurityWeek: Healthcare Breaches in Illinois and Texas Affect 600,000
- Class Action Notice PDF (mirror)
- HHS OCR Breach Portal
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.