Dive Brief:
- It’s possible that a hack earlier this year exposed the personal information of two million patients in New England who received care at over 60 medical facilities connected to Shields Health Care Group, a supplier of medical imaging and outpatient surgical services.
- From March 7 to March 21, a “unknown actor” obtained access to Shields’ systems. After receiving a tip on suspicious activity on March 28, Massachusetts-based Shields launched an investigation into the issue and discovered that “some data was collected by the unknown attacker inside that time frame.”
- According to the HHS data breach portal, the incident, which Shields revealed on Tuesday, is the biggest so far this year.
Dive Insight:
The severity of cybersecurity breaches has been rising in the healthcare sector. According to cybersecurity company Critical Insight, a record 45 million people were impacted by healthcare cyberattacks last year, which is more than quadruple the number of people impacted in 2018.
Healthcare organisations are in the middle of a perfect storm: attacks are becoming more aggressive, complex, and numerous; cyberthreats are rising as a result of global events like Russia’s invasion of Ukraine; and according to one estimate, hospital IT budgets typically don’t prioritise cybersecurity, which makes up only 6 percent or less of IT spending.
Next to Shields, North Broward Hospital District in Florida experienced the largest breach this year, affecting the data of over 1.4 million patients. The HHS Office of Civil Rights, which keeps track of healthcare data breaches impacting 500 or more people, said the Broward incident was also a hacking and IT incident, similar to Shields’.
Shields has not yet discovered any proof that the attacker exploited any stolen data to commit fraud or identity theft. The data affected, meanwhile, was private and individual; it included full names and addresses, Social Security numbers, medical diagnosis, and billing information.
According to Shields, affected sites include the Tufts Medical Center in Boston, Emerson Hospital in Concord, Massachusetts, and UMass Memorial clinics in central Massachusetts.
Shields is still examining the affected data while notifying federal law enforcement of the attack. The business intends to get in touch with any impacted people immediately after the study is over.
Tenet, one of the biggest for-profit health systems in the U.S., faced a cybersecurity breach in April that caused operational disruptions. This was another high-profile attack this year.
Whether patient data was accessed has not yet been disclosed by Tenet.
