New England’s healthcare provider Shields Health Care Group, confirmed a data breach that exposed sensitive information of more than 2 million people.
In its data breach notification, the healthcare organization said it discovered the cyber intrusion on March 28, 2022.
Shields took immediate steps to contain the intrusion and hired cyber forensics specialists to determine the nature and scope of the attack. Additionally, the healthcare provider notified state and federal law enforcement agencies and relevant regulators, including the U.S. Department of Health and Human Services Office for Civil Rights.
According to the data breach notification, Shields responded by “rebuilding certain systems,” although it is unclear if ransomware was involved.
Shields offers MRI, PET/CT, and ambulatory surgery services at more than 40 locations in the New England region (Massachusetts, Maine, and New Hampshire). Founded in 1972 and employing about 750 employees, the company has an annual revenue of more than $25 million.
Healthcare provider data breach leaked sensitive patient health information
Shields’ investigation determined that hackers gained access to certain Shields’ systems from March 7, 2022 to March 21, 2022. The healthcare provider had investigated a security alert on March 18, 2022 but failed to detect the data breach.
“On March 28, 2022, Shields was alerted to suspicious activity that may have involved data compromise. Shields immediately launched an investigation into this issue and worked with subject matter specialists to determine the full nature and scope of the event,” the data breach notification stated.
Shields anticipates that the attackers accessed records containing the full name, date of birth, home address, provider information, diagnosis, social security number, patient ID, medical record number, treatment information, billing information, and insurance information.
This medical information is extremely sensitive and confidential and carries regulatory consequences if exposed. Attackers could use the information to execute social engineering and phishing attacks, extort the victims, or commit identity theft or fraud.
However, the healthcare provider assured its customers that the stolen information had not been misused or made available on other illegal channels such as hacker forums.
“To date, we have no evidence to indicate that any information from this incident was used to commit identity theft or fraud,” the company wrote.
However, it was too early to determine the potential implications of the healthcare provider’s data breach. Hackers usually exploit the information silently before selling it on underground forums for mass exploitation.
Shields’ data breach affected multiple healthcare facilities
Shields data breach could affect 56 health care facilities and their patients. The healthcare organizations maintain partnerships with the compromised healthcare provider.
Healthcare organizations potentially impacted by the data security incident include Shields Management Company, Inc., Shields Imaging of Eastern Mass LLC., Shields PET/CT at Berkshire Medical Center, LLC., Tufts Medical Center, Central Maine Medical Center, the Emerson Hospital, Falmouth Hospital, the Winchester Hospital, among others.
The healthcare provider said it was still investigating the data breach and would further notify any impacted parties.
Meanwhile, Shields advised potential victims to monitor their accounts for fraudulent activity. Additionally, the healthcare provider advised its customers to request credit reports from major credit bureaus such as Equifax, Experian, and TransUnion. Victims could also request credit freezes preventing scammers from opening accounts using the stolen details.
Shields also reiterated that it “takes the confidentiality, privacy, and security of information in our care seriously” and “would continue to review and further enhance these protections” as part of its ongoing commitment to data security.
Sally Vincent, Senior Threat Research Engineer at LogRhythm, said the data breach highlighted the importance of proper protections to secure sensitive patient information.
“Healthcare organizations continue to have a target on their backs when it comes to data breaches and other malicious cyber activity due to the value of information housed within IT databases and the degree of vulnerability that comes along with humans dependent on these organizations for care,” he said. “Although Shields Health Care Group states that they have yet to find evidence that data accessed in the breach has been exposed or misused on illegal channels, ramifications still stand.”
According to Vincent, healthcare institutions must ensure that “cybersecurity controls are a constant priority” to protect patient information and their trust.
“Unfortunately, these organizations will continue to be susceptible to these attacks until they take cybersecurity as seriously as they take the business they are in,” Vincent lamented.
She recommended threat detection, password hygiene, and preventative and response controls to reduce IT downtime and other data breach implications.
Craig McDonald, VP of Product Management at BackBox, recommended network security automation, policy compliance, and backup strategies to mitigate the impacts of cybersecurity incidents.
“A backup strategy should include housing a complete IT inventory, outlining specific responsibilities, exercising alternative communication methods, and a means by which any member of the team can validate the results.”