Southern Illinois Dermatology Breach Exposes 160,000 Records After Five‑Month Notification Delay

Context Southern Illinois Dermatology is a regional skincare practice that stores extensive patient records. The breach came to light when a law firm, Schubert Jonckheer & Kolbe LLP, opened an investigation after detecting the exposed data. Although the intrusion occurred in late 2025, the clinic did not start notifying affected individuals until early 2026, a gap that regulators could view as untimely under breach‑notification timelines.

Key Facts - Intrusion date: November 28, 2025. - Records exposed: 160,000. - Data types: full name, address, date of birth, Social Security number, telephone number, email address, person number, medical record number. - Notification start: April 2, 2026 (≈ five‑month delay). - Investigating counsel: Schubert Jonckheer & Kolbe LLP.

Technical details such as the attack vector, exploited vulnerability, or threat actor have not been publicly disclosed. Typical initial access methods for healthcare networks include phishing, compromised remote‑desktop credentials, or exploitation of unpatched VPN appliances (e.g., CVE‑2023‑28252). If the intrusion involved lateral movement, defenders would look for MITRE ATT&CK techniques T1021 (Remote Services) and T1059 (Command‑and‑Control Scripting).

What It Means The delayed notification may trigger penalties under HIPAA’s Breach Notification Rule (up to $1.5 million per violation category per year) and Illinois’ statute, which requires notice “in the most expedient time possible.” Affected individuals face heightened risk of identity theft, fraudulent medical claims, and phishing attacks leveraging the exposed data. The incident underscores the need for healthcare entities to treat breach detection and response as core operational functions, not afterthoughts.

What Defenders Should Do - Enforce multi‑factor authentication on all remote access points and privileged accounts. - Apply the latest patches for VPN and remote‑desktop solutions; prioritize CVE‑2023‑28252 and similar flaws. - Deploy network‑traffic analytics to detect anomalous lateral movement (MITRE ATT&CK T1021). - Implement endpoint detection and response (EDR) with alerts for suspicious credential use (T1078). - Conduct regular tabletop exercises that include a 72‑hour notification timeline to ensure compliance with HIPAA and state laws.

Watch for any formal enforcement actions from HHS OCR or the Illinois Attorney General, and for updates on whether threat actors attempt to monetize the stolen data on underground markets.