New England healthcare provider Shields Health Care Group has confirmed a data breach that exposed the sensitive information of more than 2 million people.
In its data breach notification, the healthcare organization said it discovered the cyber intrusion on March 28, 2022.
Shields took immediate action to contain the intrusion and hired cybercrime specialists to determine the nature and scope of the attack. In addition, the healthcare provider has notified relevant state and federal law enforcement and regulatory agencies, including the US Department of Health and Human Services Office for Civil Rights.
According to the data breach notification, Shields responded by “rebuilding some systems,” although it’s unclear whether ransomware was involved.
Shields offers MRI, PET/CT and day surgery services at over 40 locations in the New England area (Massachusetts, Maine and New Hampshire). Founded in 1972 and employing approximately 750 employees, the company has annual sales of over $25 million.
Healthcare provider data breach leaked sensitive patient health information
Shields’ investigation determined that hackers gained access to certain Shields systems from March 7, 2022 to March 21, 2022. The healthcare provider investigated a security alert on March 18, 2022 but was unsuccessful to detect the data breach.
“On March 28, 2022, Shields was alerted to suspicious activity that may have involved a data compromise. Shields immediately launched an investigation into this issue and worked with subject matter experts to determine the full nature and scope of the event,” the data breach notification reads.
Shields predicts that the attackers accessed records containing full name, date of birth, home address, provider information, diagnosis, social security number, patient ID, phone number. medical record, treatment information, billing information and insurance information.
This medical information is extremely sensitive and confidential and carries regulatory consequences if exposed. Attackers could use the information to execute social engineering and phishing attacks, extort victims, or commit identity theft or fraud.
However, the healthcare provider assured its customers that the stolen information was not misused or made available on other illegal channels such as hacker forums.
“At this time, we have no evidence that information from this incident was used to commit identity theft or fraud,” the company wrote.
However, it was too early to determine the potential implications of the healthcare provider data breach. Hackers usually mine information silently before selling it on underground forums for mass exploitation.
Shields data breach affected multiple healthcare facilities
The Shields data breach could affect 56 healthcare facilities and their patients. Healthcare organizations maintain partnerships with the compromised healthcare provider.
Healthcare organizations potentially impacted by the data security incident include Shields Management Company, Inc., Shields Imaging of Eastern Mass LLC., Shields PET/CT at Berkshire Medical Center, LLC., Tufts Medical Center, Central Maine Medical Center , Emerson Hospital, Falmouth Hospital, Winchester Hospital among others.
The healthcare provider said it is still investigating the data breach and will further notify all affected parties.
Meanwhile, Shields advised potential victims to monitor their accounts for any fraudulent activity. Additionally, the healthcare provider advised its customers to request credit reports from major credit bureaus such as Equifax, Experian and TransUnion. Victims could also apply for credit freezes preventing scammers from opening accounts using the stolen details.
Shields also reiterated that it “takes the privacy, confidentiality and security of the information in our custody seriously” and “will continue to review and further improve these protections” as part of its ongoing commitment to the data security.
Sally Vincent, senior threat research engineer at LogRhythm, said the data breach underscored the importance of proper safeguards to secure sensitive patient information.
“Healthcare organizations continue to have a target on their backs when it comes to data breaches and other malicious cyber activity due to the value of the information housed in computer databases and the degree of vulnerability that comes with the humans dependent on these organizations for care,” he said. “While Shields Health Care Group says it has not yet found evidence that data accessed in connection with the breach was exposed or misused through illegal channels, the ramifications remain.”
According to Vincent, healthcare institutions must ensure that “cybersecurity controls are an ongoing priority” to protect patient information and trust.
“Unfortunately, these organizations will continue to be susceptible to these attacks until they take cybersecurity as seriously as they take the business they operate in,” Vincent lamented.
She recommended threat detection, password hygiene, and preventive and response controls to reduce IT downtime and other data breach implications.
Craig McDonald, vice president of product management at BackBox, recommended network security automation, policy compliance, and backup strategies to mitigate the impacts of cybersecurity incidents.
“A backup strategy should include hosting a comprehensive IT inventory, outlining specific responsibilities, exercising alternate communication methods, and a means by which any team member can validate findings.”