Regional healthcare systems report data breaches affecting more than 1.5 million

Two healthcare networks reported data breaches this week that will impact more than 1.5 million people. 

Connecticut’s Community Health Center Inc. and California’s NorthBay Healthcare Corporation filed breach notifications with regulators in multiple states warning that breaches last year exposed troves of patient data including healthcare data, financial information, Social Security numbers and more. 

Community Health Center, which runs dozens of facilities and clinics across Connecticut, said 1,060,936 current and former patients had data stolen during a cyberattack discovered on January 2. 

“That same day, we brought in experts to investigate and reinforce the security of our systems. They found that a skilled criminal hacker got into our system and took some data, which might include your personal information,” the company said.

“Fortunately, the criminal hacker did not delete or lock any of our data, and the criminal’s activity did not affect our daily operations. We believe we stopped the criminal hacker’s access within hours, and that there is no current threat to our systems.”

But the hacker did access health records that included names, addresses, phone numbers, diagnoses, treatment details, test results, health insurance information and Social Security numbers. 

Victims are being offered two years of identity protection services and a $1 million insurance reimbursement policy for those who may face issues due to the data breach.

Another regional healthcare system, California-based NorthBay Healthcare, reported its own data breach impacting 569,012 people. The nonprofit organization runs two hospitals in northern California, a 100-provider primary and specialty care medical group, a cancer center and other facilities.

The organization told regulators in Maine that hackers breached their systems last year and had access from January 11 to April 1.

The cybercriminals gained access to Social Security numbers, passport numbers, financial information, medical data, health insurance info, credit card and debit card numbers that included expiration dates, security codes and PIN numbers. 

Those affected are being given one year of identity protection services. 

The attack on NorthBay Healthcare was claimed by the Embargo ransomware gang in April 2024. The hospital was forced to turn patients away and cancel appointments following the ransomware attack.