Massachusetts-based Shields Heath Care Group experienced a cyber incident that might have impacted the personal data of 2 million patients.
“To date, we have no evidence to indicate that any information from this incident was used to commit identity theft or fraud,” the group said.
On 28 March 2022, Shields was alerted about the suspicious activity that might have resulted in data compromise.
The investigation revealed that an unknown actor accessed certain Shields Systems from 7 March to 21 March.
The types of patient data that may have been impacted include: name, Social Security number, date of birth, home address, provider information, diagnosis, billing information, insurance number and information, medical record number, patient ID, and other medical or treatment information.
“We have notified federal law enforcement and will be reporting this incident to relevant state and federal regulators. Further, once we complete the review of the impacted data, we will directly notify impacted individuals where possible so that they may take further steps to help protect their information, should they feel it is appropriate to do so,” Shields said.
Even though the company has no evidence of identity theft or fraud, it strongly recommends individuals review its security guidance.
Shields also provided an extensive list of partners that may have been impacted by the incident. It has reported the attack to the US Department of Health and Human Services Office for Civil Rights, saying 2 million people might have been impacted.
According to the company’s website, Shields Health Care Group provides MRI, PET/CT, and ambulatory surgical services to patients at more than 30 locations in New England.
A recent survey by cybersecurity firm Sophos showed that two-thirds of healthcare organizations were hit with a ransomware attack last year. The number of affected organizations in the field has almost doubled from 34% in 2020 to 66% last year.
Researchers claim that the increasing number of attacks against the sector signals the growing success of the ransomware-as-a-service (RaaS) model. RaaS significantly reduces entry barriers for cybercriminals as they can purchase ready-to-use malware.