Social Security numbers stolen in ransomware attack on maternal health org
Social Security numbers and other sensitive data was stolen by cybercriminals in a ransomware attack targeting a maternal health service, according to a new statement from the organization.
On Thursday, Maternal & Family Health Services said it was alerted to the ransomware attack on April 4 – more than eight months ago – and was told by cybersecurity experts that the hackers had access to their systems as far back as August 21, 2021.
The private non-profit, which serves Northeastern Pennsylvania, confirmed that it only began sending breach notification letters on Tuesday.
The hackers gained access to personal information that included names, addresses, dates of birth, Social Security numbers, driver’s license numbers, financial account/payment card information, usernames and passwords, medical information and health insurance information.
When pressed on why there was such a large gap between when the attack was discovered and when the notices were sent out, a spokesperson said they “worked diligently with third-party forensic investigators to determine what happened and whose information was impacted.”
Those affected include employees, patients and vendors. The company did not respond to questions about how many people were impacted by the breach.
“We understand the inconvenience or concern this incident may cause and are committed to strengthening our systems’ security to prevent this kind of incident from happening again,” Maternal & Family Health Services CEO Maria Montoro Edwards said in a statement.
The letters to victims included offers from the organization of free credit monitoring and identity theft protection services to individuals whose Social Security number or financial account and payment card information may have been leaked.
The organization has also created a hotline for those with questions. They have offices in 17 Pennsylvania counties, serving over 90,000 women, men and children each year.
No ransomware group has been tied to the attack on the organization. Ransomware attacks on hospitals resulting in the leak of sensitive patient information are now so common that the U.S. Department of Health and Human Services has set up a cybersecurity page examining different ransomware operations.
HHS has released multiple reports on ransomware groups this year, including ones on the Royal, Cuba, Venus, Lorenz and Hive ransomware groups in an effort to help healthcare institutions protect themselves.
In 2022, 25 hospitals or hospital systems were attacked with ransomware, affecting 290 individual hospitals, according to data from Emsisoft.