MedStar Health, a prominent non-profit healthcare provider disclosed a data breach that impacts more than 183,000 patients from its hundreds of care locations which it operates in the Baltimore-Washington area in the U.S.
The not-for-profit healthcare provider is worth $7.7 billion and is one of the largest employers in the region with more than 34,000 associates working across 300 care locations including 10 hospitals and 33 urgent care clinics, ambulatory care centers and primary and specialty care providers. They together treat hundreds of thousands of patients on a yearly basis.
The impacted individuals’ personal data may have been compromised when an outsider gained access to emails and files of three employees, MedStar Health said in a statement on the data breach.
MedStar Health reported notifying 183,709 affected patients via letters and filed a notice with the Department of Health and Human Services.
The unauthorized access occurred sporadically between January and October last year, with patient information found in breached files and emails. Although there’s no indication of actual acquisition or viewing of patient data, the company couldn’t rule out such access.
Patient information including names, addresses, dates of birth, service dates, provider names and insurance details, were contained in the compromised emails and files, MedStar Health said.
The healthcare provider urged affected patients to monitor healthcare statements for any unusual activities and assured implementation of new safeguards to prevent future breaches.
Earlier MedStar Health Data Breach
The digital woes of the healthcare provider are not new. In fact, this is the second time in a decade that MedStar Health is facing a massive data breach scare.
In 2016, a virus, likely a ransomware malware infected the computer network of MedStar Health. This prompted a complete shutdown of services for the healthcare giant, which resulted in diversion of new patients to other hospitals and the care givers had to resort to pen and paper to continue regular operations.
The impact was such that the FBI was called in to investigate the MedStar Health data breach, which followed similar cyberattacks on at least three other medical institutions in California and Kentucky.
Healthcare Breaches on the Rise
This incident adds to a growing list of healthcare breaches and ransomware attacks, including the Change Healthcare that caused widespread disruptions across U.S. Initially described as an “enterprise-wide connectivity issue,” the severity of the attack went a bar above when Blackcat – also known as Alphv – ransomware gang claimed responsibility for it.
The Russia-based ransomware and extortion gang claimed to have stolen millions of Americans’ sensitive health and patient information, a tactic commonly employed by ransomware gangs to exert pressure on victims. However, on February 29, Blackcat withdrew its claim on the breached data of the healthcare group, raising questions if a ransom was paid.
The company did confirm that is paid a $22 million ransom later but it now faces multiple lawsuits for alleged negligence in safeguarding clients’ personal information. The parent company UnitedHealth has allocated over $2 billion to fight the fallout of the Change Healthcare data breach.
The company last week also stated that a lack of multi-factor authentication (MFA) resulted into the massive hack.
Blackcat in September 2023 claimed a similar data breach on McLaren Healthcare, where nearly 6 terabytes worth of data was siphoned. Owing to such large scale healthcare data breaches, the U.S. Cybersecurity and Infrastructure Security Agency in March unveiled a cybersecurity toolkit for healthcare sector that would help them implement advanced tools, that fortify their defenses against evolving threats.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.