Shields Healthcare Group recently suffered a data breach, putting at stake the personal information of roughly 2 million people. The Massachusetts-based healthcare company provides management, MRI, PET, CT, and ambulatory surgical services on behalf of health care facilities in New England.
According to a notification published on the company’s official website, Shield became aware of the malicious activity on March 28, 2022. However, data security specialists investigated the incident shortly afterward to gain a deeper insight.
The examination of log files revealed that the hacker had access to Shield’s network server from March 7, 2022, to March 21, 2022.
Since Shield’s business nature entails partnerships with diverse healthcare setups, the incident may have potentially involved data of 56 healthcare facilities and their patients. Some of these entities include Emerson Hospital, Franklin MRI Center, Cape Cod CT Services, Tufts Medical Center, and Winchester Hospital.
Apart from that, Shield reported to the US Department of Health and Human Services that the data of 2 million people might have been compromised.
At this point, there is no evidence that the incident was capitalized on to commit identity theft or fraud. However, the type of data that may have been accessed contained patient information such as:
- Full name
- Social Security number
- Date of birth
- Home address
- Provider information
- Diagnosis
- Billing information
- Insurance number and information
- Medical record number
- Patient ID
- Other medical or treatment information
What’s alarming is that the above information is highly sensitive and can be used to commit phishing, scamming, and even extortion.
“Upon discovery, we took steps to secure our systems, including rebuilding certain systems, and conducted a thorough investigation to confirm the nature and scope of the activity and to determine who may be affected. Additionally, while we have safeguards in place to protect data in our care, we continue to review and further enhance these protections as part of our ongoing commitment to data security,” said Shield.
The cyberattack was reported to federal law enforcement, and some more state and federal regulators were yet to be informed. Besides, Shield expressed that once they finished analyzing impacted data, they would inform impacted individuals so they could take precautionary measures.
Regardless, Shield has put down a series of precautionary steps on its website, which potential victims are encouraged to take to secure their information. Moreover, the organization can be contacted during office hours in case of having additional questions about the incident.
Sophos’ recent report shows that 66% of healthcare organizations suffered ransomware attacks in 2021, compared to 34% in 2020. This indicates that the affected healthcare institutions have doubled in just one year.
On the one hand, ransom attacks are getting increasingly sophisticated, with ransom services readily available for purchase. By contrast, healthcare organizations don’t seem to be keeping pace, with many of them yet to upgrade to the cloud.
To prevent incidents like these from happening, healthcare institutions need to join forces with cloud hosting companies, businesses, and law enforcement to revamp their cybersecurity strategies.