Snatch Ransomware Group Behind Mount Desert Island Hospital Cyberattack
Mount Desert Island Hospital, Inc. (MDIH) in Bay Harbor, ME, has provided a supplemental data breach notification to the Maine Attorney General about a data security incident first reported on July 17, 2023. Suspicious activity was detected within its network on May 7, 2023, and the forensic investigation determined that an unauthorized third party had access to its network between April 28, 2023, and May 7, 2023. MDIH said it initiated a review of the files on the compromised parts of its network and has now confirmed that they contained the personal and protected health information of 32,661 individuals, including 26,046 Maine residents.
The exposed information included employee data: names in combination with one or more of the following data elements: date of birth, driver’s license/state identification number, Social Security number, and financial account information. Patient data was also exposed: name, address, date of birth, driver’s license/state identification number, Social Security number, financial account information, medical record number, Medicare or Medicaid identification number, mental or physical treatment/condition information, diagnosis code/information, date of service, admission/discharge date, prescription information, billing/claims information, personal representative or guardian name, and health insurance information.
Affected individuals started to be notified on June 5, 2023, and were offered complimentary credit monitoring and identity theft protection services. Neither the substitute breach notification on the MDIH website nor the Attorney General notifications provide further information on the exact nature of the attack; however, this appears to have been a ransomware attack involving Snatch ransomware.
The Snatch ransomware group claims to have stolen 266 GB of data in the attack and has listed the full data on its leak site. One 89 GB data file is listed as being downloaded 416 times and a 177 GB data file has been downloaded 390 times. As such, all individuals notified about the attack should ensure that they sign up for the complimentary credit monitoring and identity theft protection services.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Pharm-Pacc Corporation Reports Exposure of PHI of 3,749 Individuals
Pharm-Pacc Corporation, a Coral Gables, FL-based provider of managed recovery services to hospitals, has experienced a data security incident. Suspicious activity was detected within its IT environment on March 24, 2023, and after securing its systems, conducted a forensic investigation that confirmed on May 23, 2023, that an unauthorized third party accessed its systems without authorization. On June 14, 2023, Pharm-Pacc confirmed that one of the systems that was accessed contained the protected health information of patients.
The exposed information included names, dates of birth, patient account numbers, medical record numbers, dates of service, addresses, driver’s license numbers, medical device identifiers, taxpayer identification numbers, telephone numbers, email addresses, medical images, license plate numbers, death dates, digital signatures, and Social Security numbers. While the above data was exposed, Pharm-Pacc has found no evidence to suggest any of that information has been misused. Affected individuals were notified about the breach on September 11, 2023. The breach was reported to the HHS’ Office for Civil Rights as affecting 3,749 individuals.
Ryders Health Management Suffers Ransomware Attack
Ryders Health Management, a Stratford, CT-based provider of skilled nursing and rehabilitation services, has recently confirmed that unauthorized individuals gained access to its network and used ransomware to encrypt files. The attack was detected on July 9, 2023, and Ryders Health Management said the threat actor only had access to its network for a short period; however, files were downloaded that contained patient data.
The review of the files confirmed they contained protected health information such as names, addresses, dates of birth, Social Security numbers, date(s) of service, medical record numbers, identification numbers, care plan, provider and facility names, medications, lab results, diagnostic and treatment information, health insurance information, and healthcare payment information. The types of exposed information varied from individual to individual.
Ryders Health Management said it has implemented additional security protocols to protect its network, email environment, and systems, and is currently assessing the entirety of its information security program. Affected individuals have been notified by mail and have been offered complimentary credit monitoring and identity theft protection services. The breach was reported to the Office for Civil Rights as affecting 7,252 individuals.
United Healthcare Services Confirms 315,915 Individuals Affected by MOVEit Data Breach
United Healthcare Services in Connecticut has confirmed that the Clop group exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution in May, and exfiltrated files containing the protected health information of 315,915 individuals.
