Nearly 3 million affected by ransomware attack on medical software firm

Millions of people across the U.S. had their information exposed following a ransomware attack on a company that provides software to hospitals and emergency medical services.

In documents filed with several state regulators, Austin-based ESO Solutions said it “detected and stopped” a “sophisticated” ransomware attack on September 28 but determined on October 23 that the hackers had still been able to access personal and patient health information located on one of its impacted systems. The data theft occurred before the gang attempted to encrypt the information.

“This incident impacted data belonging to patients associated with ESO’s customers, including certain personal information and medical treatment information. This information included names, dates of birth, injury type, injury date, treatment date, treatment type and, in some cases, social security numbers,” they explained in a breach notification letter first sent out on December 12 and also posted on their website.

The company told regulators in Maine that 2.7 million were affected by the data breach. The FBI is investigating the incident, and ESO was ultimately able to restore its systems and operations thanks to having backups. The company has also notified the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) as well as several state attorneys general.

Since its founding in 2004, ESO has provided software to emergency medical service agencies, fire departments, hospitals, state and provincial offices, and federal agencies.

It did not provide a full list of hospitals and companies affected but noted the hospitals where Maine residents had information stolen:

• Mississippi Baptist Medical Center
• Merit Health Biloxi
• Merit Health River Oaks
• Forrest General Hospital
• Alaska Regional Hospital
• Memorial Hospital at Gulfport
• Providence Kodiak Island Medical Center
• Providence Alaska Medical Center
• Manatee Memorial Hospital
• Desert View Hospital

It is unclear if this is a full list of the affected ESO customers or not. The company did not respond to requests for comment about how many hospitals had information stolen, which ransomware group was behind the incident and whether a ransom was paid.

Victims will be provided with either one or two years of free credit monitoring services from Kroll based on what information was leaked.

Several facilities, including Florida’s Manatee Memorial Hospital, released notices to local news outlets about the incident.

The attack caps a devastating year for ransomware incidents involving hospitals and their suppliers.

Last week, a prominent cancer center based in Seattle dealt with ransomware hackers attempting to extort patients, and dental insurance giant Delta Dental of California filed breach notification documents in Maine and California saying nearly 7 million patients were affected by a ransomware gang’s attacks on a popular file transfer software this summer.

Ransomware attacks on Westchester Medical Center Health Network, Norton Healthcare, Tri-City Medical Center, Capital Health, Ardent Health Services and Prospect Medical Holdings over the last six months have left dozens of hospitals scrambling to provide patient care amid near-catastrophic technology outages.

Recorded Future — the parent company of The Record — reported at least 19 ransomware attacks on healthcare facilities last month and steep increases in incidents throughout 2023.

A study from University of Minnesota researchers released in October found that ransomware incidents increased the in-hospital mortality for patients admitted to attacked hospitals. The researchers estimate that from 2016 to 2021 between 42 and 67 Medicare patients died as a result of the outages caused by ransomware attacks.