Community Clinic of Maui says 123,000 affected by May cyberattack

The Community Clinic of Maui warned more than 123,000 people that their information was accessed by hackers during a cyberattack in May. 

The clinic, also known as Mālama, said the hackers had access to personal data between May 4 and May 7, stealing  information including Social Security numbers, passport numbers, financial account numbers with CVV numbers and expiration dates as well as troves of data on medical treatments. 

The hackers also stole routing numbers, bank names, financial account numbers and some biometric data. A total of 123,882 were impacted by the attack, which forced the clinic to take servers offline.

The incident, which local news outlets reported was a ransomware attack, caused outrage among residents because Mālama was forced to close for nearly two weeks. Even when it reopened at the end of May, it offered limited services and nurses said they were forced to use paper charts, losing access to all of the facility’s computers.

Mālama said it contacted law enforcement and hired cybersecurity experts to investigate the incident before its findings were confirmed on August 7. 

The organization said in a notice on its website that people “whose Social Security numbers were potentially impacted have been offered complimentary credit monitoring” but a filing with regulators in Maine said identity theft protection services are not being offered.

The organization did not respond to requests for clarification. A law firm said it is investigating potential lawsuits against Mālama over the data breach.  

The attack on Mālama was claimed in June by LockBit, a notorious ransomware gang that was shut down by law enforcement agencies earlier this year. 

On Tuesday, Europol and several law enforcement agencies announced a range of actions targeting the group, including four arrests and seizures of servers critical for LockBit’s infrastructure in France, the U.K. and Spain.

Throughout 2024, crucial hospitals and healthcare systems have been the victim of cyberattacks, limiting services offered and endangering communities across the U.S. 

Two major health systems running multiple hospitals — McLaren Health Care and Ascension — have dealt with devastating ransomware attacks and last week, one of the only level 1 trauma centers in the southwest was forced to turn away ambulances after an attack.