Introduction
Anna Jaques Hospital [1] [2] [3] [4] [5] [6] [7], a not-for-profit community hospital in Newburyport [1] [3], Massachusetts [1] [3] [4] [5] [6] [7], experienced a significant cybersecurity incident in late 2023. This event, attributed to a ransomware attack by the Money Message threat actor, compromised sensitive patient data and highlighted the critical need for robust cybersecurity measures in the healthcare sector.
Description
Anna Jaques Hospital [1] [2] [3] [4] [5] [6] [7], part of Beth Israel Lahey Health [3], serves the Merrimack Valley [3] [5], North Shore [3] [5], and southern New Hampshire regions [3] [5]. On December 25, 2023 [1] [2] [4] [5] [6] [7], the hospital experienced a significant ransomware attack attributed to the Money Message threat actor, which exposed sensitive personal information for 316,342 patients [4]. The attackers began extorting the hospital on January 19, 2024, and threatened to release all stolen data if their ransom demands were not met [4]. In response, the hospital took its systems offline and contacted law enforcement [4].
The breach compromised a wide range of sensitive data, including names [7], demographic details [1] [3] [6] [7], medical records [1] [3] [7], health insurance information [1] [3] [6] [7], Social Security numbers [1] [3] [4] [5] [6] [7], driver’s license numbers [1] [3] [4] [5] [6] [7], financial information [1] [3] [4] [5] [6] [7], and other personal health data [1] [3] [6] [7]. The attackers claimed responsibility for stealing 600 GB of data, which they demonstrated by leaking various documents, such as intake forms [7], diagnoses [5] [7], imaging orders [7], patient health summaries [7], and consent forms [7], on January 26, 2024 [4] [5] [7]. The hospital opted not to negotiate with the attackers, resulting in the full release of the stolen data [4].
Although the hospital announced the incident on January 24, 2024, it took nearly a year to notify the affected individuals directly [7], with notifications beginning on December 5, 2024. The hospital also informed the Maine Attorney General about the breach on the same day. A year-long forensic investigation concluded on November 5, 2024 [4] [5], confirming unauthorized access to certain files; however, no evidence of misuse of the exposed information for identity theft or financial fraud was found [3].
In response to the breach [2], Anna Jaques Hospital is offering a complimentary two-year membership to Experian’s IdentityWorks Credit 3B [1], which includes credit report monitoring, identity theft protection [1] [2] [3] [4] [7], and dark web monitoring [1], to support those impacted [1] [5]. The hospital also recommends that affected individuals monitor their financial accounts and health insurance statements for any signs of fraudulent activity and consider placing a fraud alert or security freeze on their credit files. This incident underscores the critical need for enhanced cybersecurity measures in the healthcare sector [4], highlighting the potential for identity theft [4], financial fraud [3] [4], and reputational damage [4]. The decision not to pay the ransom reflects the complex considerations organizations face in such situations [4], necessitating ongoing vigilance to protect patient data [4].
Conclusion
The ransomware attack on Anna Jaques Hospital serves as a stark reminder of the vulnerabilities within the healthcare sector. The incident not only exposed sensitive patient data but also emphasized the importance of timely communication and robust cybersecurity strategies. By offering identity protection services and advising vigilance, the hospital aims to mitigate potential harm to affected individuals. This event underscores the necessity for healthcare organizations to continually enhance their cybersecurity frameworks to safeguard against future threats and protect patient information from malicious actors.
References
[1] https://www.infosecurity-magazine.com/news/anna-jacques-hospital-ransomware/
[2] https://www.bitdefender.com/en-us/blog/hotforsecurity/data-breach-at-anna-jaques-hospital-leaks-data-of-over-300-000-patients
[3] https://www.techradar.com/pro/security/major-hospital-ransomware-breach-exposed-data-of-300k-patients
[4] https://dailysecurityreview.com/security-spotlight/anna-jaques-hospital-ransomware-breach-exposes-data-of-300k-patients/
[5] https://securityaffairs.com/171801/data-breach/anna-jaques-hospital-data-breach.html
[6] https://www.scworld.com/brief/ransomware-impacts-more-than-310k-anna-jacques-hospital-patients
[7] https://www.comparitech.com/news/massachusetts-hospital-notifies-316000-people-of-data-breach-that-compromised-ssns-medical-and-financial-info/
