Prospect Medical Holdings Cyberattack Puts Connecticut Hospital Deal at Risk
On August 1, 2023, Los Angeles, CA-based Prospect Medical Holdings identified suspicious activity in some of its IT systems. A forensic investigation was conducted to determine the nature and scope of the security breach, and it was confirmed on September 13, 2023, that an unauthorized third party had access to some of its IT systems between July 31 and August 3, 2023, and during that time, accessed and/or acquired files containing the information of certain patients and employees.
The exposed data related to patients of the following facilities:
- Southern California Hospital at Culver City
- Southern California Hospital at Hollywood
- Southern California Hospital at Van Nuys
- Los Angeles Community Hospital
- Los Angeles Community Hospital at Norwalk
- Los Angeles Community Hospital at Bellflower
- Foothill Regional Medical Center
Prospect Medical Holdings has also confirmed that 24,130 current and former employees and dependents of Prospect Medical’s Eastern Connecticut Health Network (ECHN) and Waterbury Health facilities also had their information exposed. The exposed information varies from individual to individual and may have included names in combination with one or more of the following: address, date of birth, diagnosis, lab results, medications, other treatment information, health insurance information, provider/facility name, date(s) of treatment, and financial information. Some patients also had their Social Security number and driver’s license information exposed.
Individuals affected were notified about the breach on September 29, 2023, and complimentary credit monitoring and identity protection services have been offered to individuals who had their Social Security number or driver’s license information exposed. Prospect Medical Holdings said additional safeguards and technical security measures have now been implemented to better protect and monitor its systems.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The HHS’ Office for Civil Rights breach portal indicates 342,376 individuals were affected. Prospect Medical Holdings has not stated which threat actor conducted the attack. The Rhysida ransomware group has claimed responsibility.
Update: On November 13, 2023, Prospect Medical mailed follow-on notifications to 109,728 Connecticut residents who had previously received healthcare services through the Eastern Connecticut Health Network or Waterbury Health providing further information about the breach.
Acquisition Deal at Risk Following Cyberattack
The three hospitals in Connecticut that were affected by the attack are currently under an acquisition agreement with another healthcare provider, Yale New Haven Health. While the deal to acquire the facilities was agreed in October 2022, that deal could now be in doubt following the cyberattack. Yale New Haven Health is having mounting concerns about the acquisition of the Waterbury Health and ECHN facilities due to the cyberattack and the deteriorating condition of the hospitals.
A spokesperson for Yale New Haven Health said a multi-party recovery plan has been proposed to save the deal and that it is engaged in communications with Prospect Medical Holdings and is trying to agree on a path forward. Should the deal fall through, the healthcare facilities will be at risk of closure as they are not financially viable, which would be disastrous for the communities that the hospitals serve.
