Community First Medical Center Suffers 216K-Record Data Breach
Community First Medical Center in Chicago, IL, has started notifying 216,047 patients about a cyberattack that saw an unauthorized third party gain access to its computer systems on July 12, 2023. According to the September 26, 2023, breach notifications, a forensic investigation was launched that determined on July 28, 2023, that the third party had accessed files that contained patients’ protected health information.
The types of information compromised in the incident varied from individual to individual and may have included full names, telephone numbers, email addresses, Social Security numbers, medical record numbers, and Medicare numbers. Community First Medical Center said it is unaware of actual or attempted misuse of patient information; however, as a precaution, individuals who had their Social Security numbers exposed have been offered complimentary credit monitoring services. Community First Medical Center said many precautions had been taken prior to the cyberattack to secure patient data and that it will evaluate and modify its security practices to prevent further security breaches.
AlphV Ransomware Group Adds Healthcare Providers to its Data Leak Site
The AlphV ransomware group (aka BlackCat) has recently claimed responsibility for attacks on two U.S. healthcare providers – MNGI Digestive Health (MNGI) in Minnesota and Pain Care Specialists in Oregon.
MNGI is a physician-owned gastroenterology practice that was previously known as Minnesota Gastroenterology. According to the AlphV listing, MNGI was given 48 hours to make contact with the group or risk the release of 2+ TB of data that was allegedly stolen in the attack. The group claims the information posted will give patients grounds for a class action lawsuit and that violations of the storage of sensitive data in the company’s system will also be published.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The group also posted Pain Care Specialists on its website and claims to have exfiltrated 150 GB of data in the attack. The stolen data allegedly includes patient and employee medical records and other highly sensitive data. The group also claims to have gained access to portals of federal medical regulation web resources, which are used for managing prescribed medicine and through which access can be gained to the medical records of certain individuals. AlphV said it gave Pain Care Specialists until September 26, 2023, to make contact and negotiate payment or risk the exposure of the stolen data. AlphV also threatened to contact patients and contacts using the stolen information to inform them about the theft of their data. Samples of the stolen data have been added to the group’s leak site, although at the time of writing, the full data set has not been published.
Neither healthcare provider has publicly acknowledged any attack at this point.
