Hackers leak over 300,000 patient records in Anna Jaques Hospital ransomware attack.
Anna Jaques Hospital, a not-for-profit community hospital in Massachusetts, revealed the results of a year-long investigation into a ransomware attack by the Money Message group. The breach, which occurred in late 2023, led to the exposure of sensitive data belonging to 316,342 patients. After negotiations with the attackers broke down, the stolen data was leaked on the dark web in early 2024.
The attack happened during the Christmas season of 2023, forcing parts of the hospital’s infrastructure to shut down while hackers accessed its systems. In January 2024, Money Message attempted to extort the hospital, but the demands were not met. Following the data leak, the hospital conducted an extensive investigation, recently filing a report with the Office of the Maine Attorney General.
The report detailed the compromised data, which included demographic information, medical records, Social Security numbers, driver’s license numbers, health insurance details, and financial data. While the leaked information could be used for identity theft, phishing, or other fraudulent activities, the hospital maintains that there is no current evidence of misuse tied directly to the breach.
In its statement to affected patients, the hospital said, “To date, we have no evidence that any of your information has been misused for identity theft or financial fraud as a direct result of this incident.” The reassurance comes as the hospital faces questions about the security of its systems and the impact on patient trust.
The ransomware attack on Anna Jaques Hospital illustrates the heightened risks smaller hospitals face when dealing with limited cybersecurity resources. These facilities often lack the infrastructure and funding to defend against cyberattacks, leaving sensitive patient data vulnerable to breaches.
Yes, legal action can result from a data breach, as affected individuals or organizations may sue for damages caused by the breach.
Healthcare organizations can reduce the risk of data breaches by implementing strong cybersecurity measures, conducting regular security training for employees, and using encryption to protect sensitive data.
Upon discovering a data breach, a healthcare organization should contain the breach, assess the scope of the impact, notify affected individuals and relevant authorities, and begin an investigation to understand how the breach occurred and how to prevent future incidents.