Full Report
On or about January 26, 2026, Insight Hospital and Medical Center (“Insight”) in Chicago issued a substitute notice. It states that in September 2025, Insight learned of unusual activity within its network. An investigation subsequently determined that an unauthorized individual accessed the network between August 22, 2025 and September 11, 2025. As of the date... Source
Analysis Summary
# Incident Report: Termite Ransomware Group Data Breach at Insight Hospital
## Executive Summary
Insight Hospital and Medical Center in Chicago suffered a significant data breach involving the exfiltration of 360 GB of sensitive patient and employee data by the "Termite" threat group. The unauthorized access occurred over a three-week period in late 2025, resulting in the complete dark web leak of approximately 900,000 files, including protected health information (PHI) and personally identifiable information (PII).
## Incident Details
- **Discovery Date:** September 2025
- **Incident Date:** August 22, 2025 – September 11, 2025
- **Affected Organization:** Insight Hospital and Medical Center
- **Sector:** Healthcare
- **Geography:** Chicago, Illinois, USA
## Timeline of Events
### Initial Access
- **Date/Time:** August 22, 2025
- **Vector:** Not explicitly disclosed (Investigation determined unauthorized access began on this date).
- **Details:** An unauthorized individual gained entry to the Insight network and maintained a presence for 20 days.
### Lateral Movement
- **Details:** While specific lateral movement techniques were not disclosed, the attacker successfully navigated the network to access a broad repository containing 900,000 files, including medical imaging (.dcm) and financial records.
### Data Exfiltration/Impact
- **Tranche Release:** On February 24, 2026, the Termite group published 360 GB of data.
- **Content:** The leak included Social Security numbers, driver’s license/passport numbers, financial account info, and treatment/insurance records.
### Detection & Response
- **Discovery:** Insight detected "unusual activity" in September 2025.
- **Public Notification:** A substitute notice was issued on January 26, 2026.
- **Current Status:** As of March 2026, data has been fully leaked; individual notifications are pending completion of a data review.
## Attack Methodology
- **Initial Access:** Unknown (Commonly Phishing or RDP exploitation in this sector).
- **Collection:** Aggregated 360 GB of various file formats (.jpeg, .dcm, etc.).
- **Exfiltration:** Data was moved to external servers and eventually hosted on a dark web leak site.
- **Impact:** Data exfiltration and public shaming/extortion via the "Termite" dark web portal.
## Impact Assessment
- **Financial:** Potential for significant HIPAA fines and class-action litigation; no mitigation services (credit monitoring) have been offered yet.
- **Data Breach:** High. 900,000 files leaked, including SSNs and medical records.
- **Operational:** No reported clinical downtime, but significant resource diversion for data forensic review.
- **Reputational:** High. Complete data leak on the dark web after a delayed notification period.
## Indicators of Compromise
- **Network indicators:** Activity associated with Termite group leak sites (e.g., Tor-based URLs - `[redacted].onion`).
- **File indicators:** Massive exfiltration of `.dcm` (DICOM - Medical Imaging) and `.jpeg` files.
- **Behavioral indicators:** Unusual network traffic spikes between Aug 22 and Sept 11, 2025.
## Response Actions
- **Containment:** Secured the network following the discovery of activity in September 2025.
- **Investigation:** Commissioned a forensic review to determine the scope of accessed files.
- **Compliance:** Issued a substitute notice on the corporate website in January 2026.
## Lessons Learned
- **Exfiltration Detection:** The attackers remained in the network for 20 days; earlier detection of large-scale data staging or egress could have mitigated the volume of lost data.
- **Notification Lag:** There was a significant gap between the September discovery and the January notice, and a further delay in notifying specific individuals while the data was already being leaked online.
## Recommendations
- **Implement DLP:** Deploy Data Loss Prevention (DLP) tools to flag or block the unauthorized transfer of large volumes of DICOM or sensitive PII files.
- **Enhanced Monitoring:** Utilize EDR/XDR solutions to identify "unusual activity" in real-time rather than retrospectively.
- **Zero Trust Architecture:** Segment medical imaging databases (PACS) and financial servers from general office networks to hinder lateral movement.
- **External Link Inspection:** Monitor for mentions of the organization on dark web leak sites to expedite incident response.