Anna Jaques Hospital confirmed an extensive breach on Christmas Day, 2023, indicating that ransomware compromised yet another healthcare facility. This hack made private medical information of more than 316,000 people public.
Anna Jaques Hospital is a major healthcare provider serving the Merrimack Valley, North Shore, and southern New Hampshire regions. It is well-known for offering advanced medical care, performing over 4,700 surgeries annually.
The hospital helps significantly to providing vital medical services to its surrounding communities, employing 1,200 people, two hundred doctors, and 83 beds.
In December 2023, Anna Jaques Hospital discovered a cyberattack targeting specific systems. The organisation quickly alerted law enforcement and took the impacted systems down to mitigate the damage.
On January 19, 2024, the ‘Money Message’ ransomware group publicly extorted the hospital, claiming to have stolen confidential information. On January 24, the hospital initiated an investigation in response to the group’s threat. The attackers claimed they would release private medical data unless their demands were met, posting samples of stolen data on their dark web site.
The hospital authorities chose not to negotiate with the attackers. Consequently, on January 26, the Money Message ransomware group released all the stolen data. On November 5, the hospital announced that it had completed a “thorough forensic investigation and manual document review.” The investigation revealed that files containing sensitive information for 316,342 patients had been accessed by an unauthorised party.
The compromised data includes demographic information, medical records, health insurance information, Social Security numbers, driver’s license numbers, banking details, and any other personal or health information shared with hospital.
The hospital clarified that there is “no indication of a scam” resulting from the hack. Information Security Media Group asked for more information on the breach and Money Message’s allegations, but an Anna Jaques Hospital lawyer did not response.
According to the breach report, Anna Jaques Hospital hired external cybersecurity experts to handle the situation. However, Paul Underwood, vice president of cybersecurity at Neovera, a company that provides cloud and cybersecurity services, claims that many non-profit organisations have difficulty hiring cyber experts.
Underwood said that these businesses often struggle to hire enough security staff to maintain systems, function efficiently, and detect threats from attackers in their systems.
According to experts, Anna Jaques Hospital has not explained the causes that led to the prolonged investigation of the affected data. The fact that the attack happened around the holidays was not unusual, according to Jeff Wichman, director of incident response at Semperis and a former ransomware negotiator.
Wichman further said:
An entire year for a forensic investigation is unheard of. In my experience, the longest investigations ran four to five months and those involved millions of users, which isn’t the case with this attack as reported.
In cybersecurity, speed and transparency are crucial, not only for compliance but also for maintaining public trust. The fact that it took nearly a year to notify the affected individuals, following the breach’s discovery in late 2023, may suggest that the risks associated with the data exposure were underestimated.
Although the hospital is offering a two-year credit and identity theft monitoring subscription to those affected, the lengthy delay has given cybercriminals ample time to exploit the exposed data.
Cybercriminals can use stolen data to craft highly targeted phishing attacks, tricking victims into revealing even more private information or granting access to their accounts. These attacks not only harm individuals but can also result in broader security breaches for organisations.
Phishing attacks are on the rise, and it is important to protect your organisation. One effective way to do this is by increasing user awareness about these types of attacks. Phishing Tackle is a great resource that can help you in this regard. They offer a free 14-day trial to help train your users to recognise and avoid phishing attacks.
