Anna Jaques Hospital based in Newburyport, Massachusetts recently informed government regulators and patients about a cyberattack and data breach on December 25, 2023. As per the breach notification submitted to the Maine Attorney General, the personal data of 316,342 people was possibly exposed in a cyberattack that resulted in the disruption of some services. This is commonly associated with a ransomware attack, though the notification did not mention ransomware.
Anna Jaques Hospital didn’t say in the notification letters the time it detected the attack or the network compromise. The website of the Maine Attorney General’s office mistakenly says the breach happened on December 25, 2024, and was identified on December 22, 2024. During the time of writing, no breach was posted on the HHS’ Office for Civil Rights website. OCR often lists data breaches on the OCR breach portal around two weeks after receiving the notification letter.
Anna Jaques Hospital mentioned in the notification letter upon discovery of the incident that it contained the attack started an investigation, and notified law enforcement. Top third-party cybersecurity specialists were involved in investigating the breach and identifying the scope of the unauthorized activity, and if there was exposure or theft of patient data.
The notification posted on January 23, 2024 on the Anna Jaques website gave patients an advance alert with regards to a potential data breach. The notice advised patients to be cautious against the misuse of their information. However, the hospital took 11 months to review the affected patient records. The notification letters say that an unauthorized party potentially accessed selected files that contain your data.
An updated website notification currently states that the types of data exposed because of the incident differ from person to person and might consist of names together with at least one of these data: demographic data, health data, medical insurance data, driver’s license number, Social Security number, financial data, and other personal or health details given to Anna Jacques.
Anna Jacques sent personal notification letters to the impacted people on December 5, 2024, and told them to continue to check financial account statements regularly for any fake transactions. Anna Jaques likewise advises patients to check the explanation of benefits statements they get from their medical insurance companies and follow up on any unrecognized items. The notification additionally says that the hospital has no knowledge of any fraud because of the incident.
The Maine Attorney General was informed that impacted persons were provided two years of credit monitoring services via Experian. Impacted people should make the most of any credit monitoring services that are provided because personal data and protected health data was stolen during the attack and was leaked on the dark web.
The Money Message ransomware group stated a claim on January 19, 2024, that it was responsible for the attack and mentioned the theft of 600 GB of data, The group added screenshots of some stolen records to the data leak site as evidence. The hospital had until January 26, 2024 to give ransom payment or the ransomware group would post the information on its leak site. The hospital did not pay any ransom, and so the stolen information was published on the data leak site, where any person can download it for 11 months now.
Ransomware attacks continue to increase especially on organizations trusted with sensitive information including Protected Health Information. In cybersecurity, it is important to promptly send notifications to the concerned individuals to maintain compliance and public trust. The late discovery of the breach in Christmas 2023 and informing the impacted persons almost one year later give the perception of an underestimation of the risks related to data exposure. The two-year credit and identity theft monitoring services offered by the hospital are good, but is quite late as the criminals had likely misused the data by then.
