- Two million patients in New England who received care at almost 60 healthcare facilities affiliated with Shields Health Care Group, a medical imaging and outpatient surgical services provider, may have had their personal data exposed in a cyberattack earlier this year.
- An “unknown actor” gained access to Shields’ systems from March 7 to March 21. On March 28, Shields was alerted to suspicious activity and a subsequent investigation into the incident found that “certain data was acquired by the unknown actor within that time frame,” according to Massachusetts-based Shields.
- The attack, which Shields disclosed Tuesday, is the largest so far this year, according to the HHS’ data breach portal.
Cybersecurity breaches have been increasing in severity in the healthcare industry. Last year, a record 45 million people were affected by healthcare cyber attacks, more than triple the number of individuals affected in 2018, according to cybersecurity firm Critical Insight.
Healthcare companies face a perfect storm: attacks are advancing in aggression, complexity and volume; cyber threats are mounting from international events like Russia’s invasion of Ukraine; and cybersecurity typically isn’t a priority in hospital IT budgets, making up just 6% or less of IT spending, by one estimate.
Following Shields, the next-largest breach disclosed this year occurred at North Broward Hospital District in Florida, when the data of approximately 1.4 million patients was impacted. Like Shields, the Broward event was also a hacking and IT incident, according to HHS’ Office of Civil Rights, which tracks healthcare data breaches affecting 500 or more individuals.
So far, Shields has found no evidence the attacker used any stolen data to commit identity theft or fraud. However, the information impacted was private and personal, including full names and addresses, Social Security numbers, medical diagnosis and billing information.
Impacted facilities include Tufts Medical Center in Boston, Emerson Hospital in Concord, Massachusetts, and clinics owned by UMass Memorial, a regional system in central Massachusetts, Shields disclosed.
Shields, which has notified federal law enforcement about the attack, is continuing to review impacted data. Once the review is completed, the company plans to directly contact any impacted individuals.
In another high-profile attack this year, Tenet, one of the largest for-profit health systems in the U.S., experienced a cybersecurity incident in April that disrupted operations.
Tenet has yet to disclose whether patient data was accessed.