Anna Jacques Hospital Notifies 316K Patients About December 2023 Ransomware Attack
Beth Israel Lahey Health’s Anna Jaques Hospital in Newburyport, Massachusetts, has recently notified regulators and patients about a cyberattack and data breach that occurred on Christmas Day in 2023. According to the notification sent to the Maine Attorney General, the personal information of 316,342 individuals was potentially compromised in a cyberattack that caused disruption to some of its systems – a phrase commonly used to describe a ransomware attack, although ransomware was not mentioned in the notification.
Anna Jaques Hospital did not state in the notification letters when the attack was detected or when its network was compromised. The Maine Attorney General’s website erroneously states the breach occurred on December 25, 2024, and was discovered on December 22, 2024. At the time of writing, there is no breach listed on the HHS’ Office for Civil Rights website. Data breaches tend to be added to the OCR breach portal up to two weeks after OCR receives the notification.
Anna Jaques Hospital explained in the notification letter that when the incident was detected, the attack was contained, an immediate and thorough investigation was initiated, and law enforcement was notified. Leading third-party cybersecurity experts were engaged to investigate the breach and determine the extent of the unauthorized activity, and whether any patient data had been exposed or stolen.
Patients were given advance warning about a possible data breach via a notice on the Anna Jaques website on January 23, 2024. The notice warned patients to be vigilant against the misuse of their data; however, it has taken 11 months for the affected data to be reviewed. The notification letters state that “certain files containing your information were potentially accessed by an unauthorized party.”
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The website notification has now been updated and states that the types of information compromised in the incident vary from individual to individual and may include names along with one or more of the following: demographic information, medical information, health insurance information, Social Security number, driver’s license number, financial information, and other personal or health information provided to Anna Jacques.
Anna Jacques mailed individual notification letters to the affected individuals on December 5, 2024, and advised patients to “Remain vigilant in reviewing financial account statements on a regular basis for any fraudulent activity. Anna Jaques also recommends that its patients review the explanation of benefits statements that they receive from their health insurance providers and follow up on any items not recognized.” The notification also states that the hospital is unaware of any fraud as a result of the incident.
The Maine Attorney General was notified that affected individuals have been offered 24 months of credit monitoring services with Experian. Affected individuals should take advantage of any credit monitoring services that are offered, as personal and protected health information was stolen in the attack and has been published on the dark web.
On January 19, 2024, the Money Message ransomware group claimed responsibility for the attack and said 600 GB of data was stolen in the attack, and screenshots of some of the stolen data were added to the data leak site as proof. The hospital was given until January 26, 2024, to pay the ransom or the data would be published on its leak site. When that deadline was reached and no ransom was paid, the stolen data was uploaded to the data leak site, where it has remained available for anyone to download for 11 months and counting.
“Ransomware attacks, particularly on institutions we trust with our most sensitive data like hospitals, are increasingly concerning. In cybersecurity, timing and transparency are paramount, not only for the sake of compliance but also for maintaining public trust. The delay from discovering the breach around Christmas 2023 to notifying the affected individuals nearly a year later gives the impression of an underestimation of the risks associated with data exposure,” Javvad Malik, Lead Security Awareness Advocate at KnowBe4, told The HIPAA Journal. “The fact that the hospital has offered a two-year membership for credit and identity theft monitoring services is commendable, but given that the data has been available for almost a year has already given criminals an opportunity to misuse the information.”
