Maternal & Family Health Services (MFHS), a nonprofit healthcare provider in Pennsylvania, has disclosed that hackers obtained the personal information of almost half a million individuals.
The Breach Incident
According to TechCrunch, MFHS said last week that it had been the victim of ransomware, which resulted in the exposure of the personal information of present and past MFHS patients, staff, and suppliers.
The healthcare company reported learning of the issue on Apr. 4, but it now believes the data may have been exposed as early as August 21, 2021.
MFHS did not confirm the number of people impacted by the incident. Nevertheless, the attorney general's office in Maine issued a letter this week saying that 461,070 persons were exposed by the attack, with just 68 of them living in the state.
MFHS informed affected people via letter on Tuesday, Jan. 10, that hackers had gained access to personal data more than nine months after the organization was initially notified of the ransomware issue.
The exposed information includes full names, addresses, dates of birth, driver's license numbers, Social Security numbers, usernames and passwords, health insurance and medical details, and financial details. The notice also indicated that the thieves had taken credit and debit card details.
Until Wednesday, Jan. 11, no prominent ransomware gang claimed credit for the attack.
TechCrunch believes that the motives behind the cyberattack, whether or not a ransom was paid, and why MFHS did not make the event public sooner are all unanswered.
Same Event, Same Sector
Unfortunately, cybercriminals have targeted the healthcare industry before.
In October 2022, the Australian health insurance company Medibank was hacked, exposing the personal information of 9.7 million active and inactive policyholders and their legal representatives. Data obtained consist of full names, birth dates, addresses, phone numbers, and email addresses.
The breach was linked to Russia and is suspected to be affiliated with the REvil ransomware group. The insurance firm had refused to pay them a $10 million ransom.
Medical claims for long-term diseases like heart disease, together with patient data for those with cancer, dementia, mental health issues, and infections, were leaked in November 2022.
Additionally, the private details of hundreds of consumers, including 123 claims relating to abortion, mental health, and alcohol misuse, were leaked via a website.
The hacker reportedly claimed to be a firm employee with high-level access and stole the company credentials. A bunch of data was sold on a Russian cybercrime site.
Medibank said on October 13, 2022, that services would be temporarily suspended due to a cyber issue. The hackers then informed the corporation that they had recovered 200GB of user data from its systems.