Hospital cyberattacks grow more sophisticated as AI lowers barriers, putting patient data at risk

What happens if a hospital’s IT system goes down for an hour? Surgeries can get canceled, patient portals could vanish and test results could be gone. That vulnerability, the fact that hospitals can’t afford downtime, is exactly why cybercriminals target them relentlessly.

Largely due to AI’s rapid evolution over recent years, hospitals across northern Illinois face escalating cyberattacks, including data breaches like OSF’s and ransomware that forces systems offline.

Cybersecurity experts say the complexity of hospital IT systems, combined with 24/7 operations and the urgency of patient care, makes them ideal targets. Understanding these vulnerabilities matters for anyone in the region who depends on hospital services.

In late December 2025, OSF Saint Clare Medical Center in Princeton notified patients of a data breach involving its medical records system provider, Cerner.

In a letter to patients, the hospital said an unauthorized third party gained access to Cerner systems as early as January 2025. Cerner notified OSF Saint Clare in September. Law enforcement asked the hospital to delay notifying patients so it would not interfere with the investigation.

According to the notice, information that may have been involved included names, social security numbers and medical record details, including diagnoses, medications and test results.

OSF later confirmed to Shaw Local that multiple facilities were affected, but declined further comment as of Feb. 23.

This is not a local issue, and hospitals nationwide grapple with cyberattacks ranging from data leaks like OSF’s to ransomware that forces systems offline until hackers are paid.

Jon Pisani, who leads cybersecurity services at Chicago-based consulting firm PSM Partners, said hospitals’ intricate IT systems and the pressure to stay operational around the clock naturally make them attractive targets for cybercriminals.

“When you look at any small to medium business, they might have one or two hosted applications running,” Pisani said. “However, most hospitals in this country are running dozens of interrelated applications at a time that each present their own unique vulnerabilities, and they have to be operational 24/7, so it naturally opens the door for someone to gain access more easily.”

Hospitals also face greater urgency when systems go down, making them an ideal target for ransomware attacks.

“A somewhat small business may be able to withstand downtime for a few days,” Pisani said. “Hospitals aren’t afforded that. If a hospital’s system goes down … they’re canceling surgeries, patient portals can go down. It’s just incredibly disruptive, and threat actors understand that sense of urgency could play to their advantage.”

Illinois Valley Community College Chief Information Security Officer Brian Pichman said the rise of artificial intelligence has lowered the barrier to entry for attackers.

“It’s cheap, and it really can just do all the work for them,” Pichman said. “You can run an AI model and build a semi-functioning program in an hour or two. The cost has gone down, and the capabilities with AI have only gone up over the years.”

Pisani echoed that sentiment and explained what else AI allows cybercriminals to do.

“It allows a threat actor to efficiently parse through data more quickly to figure out how they want to attack a hospital system,” he said.

At the same time, he also mentioned AI tools that are in place to help employees can actually create new risks inside organizations.

“Users aren’t necessarily trained on what they should or shouldn’t be putting into ChatGPT or whatever flavor of AI you’re using,” Pisani said. “Once information is put into public platforms, it’s now accessible to the public.”

Hackers still rely heavily on human error

In general, much of today’s cybercrime still begins with something simple like an email, and that first step often happens with attacks on healthcare organizations.

“The majority of the time you’ll see email as the primary threat vector,” Pisani said. “They’re going to try to get someone to click a link or download something they’re not supposed to.”

Once an email account is compromised, attackers often monitor activity before deciding their next move.

“They’ll read through and see who you’re doing business with,” Pisani said. “Then they’ll poke around and potentially alter emails to extract valuable information.”

According to Pisani, today’s ransomware attacks often go beyond locking systems. Hackers may also steal data or reroute payments before demanding money.

“With good backups, we can restore systems,” he said. “What becomes more difficult is when they’ve siphoned out large subsets of data and threaten to disseminate it.”

While ransomware attacks are certainly a concern, both Pisani and Pichman said data exposure can have more long-term consequences if good backup systems aren’t in place.

“With ransomware, if you have backups, you can recover,” Pichman said. “What’s really challenging is stopping someone from posting your data once they have it.”

How are hospitals responding?

To combat evolving threats, Pisani said organizations rely on layered security measures.

These include limiting system access by location, requiring users to log in from company-managed devices, and implementing a “zero trust” model that continually verifies the identity of both users and systems.

Some hospitals have shared more details about what happens after a breach.

In 2023, Morris Hospital said an unauthorized party accessed part of its network and took data. Similar to OSF’s situation, the information included names, addresses, dates of birth, Social Security numbers, medical records, account numbers and diagnostic codes tied to patient care. The files involved current and former patients, as well as employees and their dependents.

Hospital officials said there were no reports of fraud, identity theft or other harm linked to the data breach.

Morris mailed letters to everyone whose data was accessed, explaining what happened and offering free identity monitoring. A notice about the breach was also posted on the hospital’s website for over two years.

Although Morris said they couldn’t share specific details due to security reasons, the hospital said it added additional security measures after the incident.

Northwestern Medicine declined to comment on its cybersecurity experiences.

Still, Pisani cautioned against viewing cybersecurity as something that can ever be fully solved, as it’s constantly changing.

At PSM, he said his team continuously monitors emerging risks and trends, regularly discussing how the threat landscape is changing – an ongoing effort he described as a core part of their work.

“I don’t necessarily think we’re in a better or worse state than we were a year or two ago in dealing with cyberattacks,” he said. “I’d say we’re in a different state. Vulnerabilities that existed a year or two ago have mitigation steps now, but new threat vectors have been developed, and things will just continue to evolve.”

Pichman echoed that sentiment, saying healthcare systems will always be tested because of the amount of data they hold.

“There’s enough data there that it makes them a target,” he said. “As long as the data has value, people are going to keep trying to find ways in.”

What patients can do

Following their respective breaches, both OSF and Morris Hospital said they notified potentially affected individuals by mail and offered complimentary identity protection services.

OSF provided two years of free credit monitoring and identity restoration services through Experian. Patients must enroll to activate the credit monitoring benefits.

Morris Hospital also offered free identity monitoring services and said it mailed letters explaining what information was involved. A notice about the incident remained posted on its website for more than two years.

Both hospitals encouraged patients to check bank statements, medical bills and credit reports for unusual activity as soon as possible.