By - Hospital Sisters Health System files new report with the Maine Attorney General
- It confirmed more than 800,000 affected in an August 2023 breach
- Compromised people are getting a year’s worth of free identity theft monitoring
Hospital Sisters Health System (HSHS), a nonprofit, Catholic healthcare system, suffered a cyberattack one and a half years ago, which resulted in the theft of sensitive patient data.
The firm has now filed a report with the Maine Office of the Attorney General, in which it detailed the attack, noting it discovered an “unauthorized third party” gaining temporary access to its network, on August 27, 2023.
“Upon learning of the situation, we immediately took steps to contain and remediate the incident and launched an internal investigation,” HSHS said in the filing.
Stealing sensitive data
The investigation determined that the unnamed attackers dwelled on HSHS’ network between August 16 and August 27, and during that time exfiltrated sensitive information belonging to exactly 882,782 people.
“We have since been reviewing those files and notifying individuals whose information was found in the files on a rolling basis as our review has continued,” the organization said.
While the type of information stolen varied from person to person, in general it included full names, postal addresses, birth dates, medical record numbers, limited treatment information, health insurance information, Social Security numbers (SSN), and driver’s license numbers.
This is more than enough to engage in highly personalized phishing, identity theft, or even wire fraud. However, HSHS says that at this time it has “no reason to believe” the data has been misused.
Healthcare information is highly sought on the black market because it contains sensitive personal, financial, and medical data that can be exploited for various types of fraud and cybercrimes. Unlike credit card data, which can be quickly canceled, stolen medical records provide long-term value as they include Social Security numbers, insurance details, and medical histories that can be used for identity theft, fraudulent billing, prescription fraud, and even blackmail. Additionally, the resale price of medical records is significantly higher than financial data due to their completeness and difficulty in detection.
That being said, even though there is no evidence of misuse, “out of an abundance of caution”, HSHS offered affected individuals a year’s worth of credit and identity theft monitoring through Equifax.
Via BleepingComputer
