HCF Management notifies 70,000 patients after data breach

A ransomware attack on HCF Management compromised the personal and medical data of approximately 70,000 patients.

What happened

A chain of skilled nursing and rehabilitation facilities operated by HCF Management is alerting tens of thousands of patients about a significant data breach stemming from a hacking incident last fall. The Russian-speaking ransomware gang RansomHub claims responsibility for the attack, stating that it has published 250GB of stolen data.

HCF Management, based in Lima, Ohio, manages over two dozen healthcare facilities across Ohio and Pennsylvania, as well as a home healthcare unit. The organization reported at least 25 data breaches to federal and state regulators on January 9, 2025.

The breach reportedly began on September 17, 2024, when threat actors accessed HCF’s IT systems and acquired sensitive information, including residents' names, addresses, Social Security numbers, medical treatment details, and health insurance information.

Going deeper

RansomHub listed HCF Management on its dark website on October 29, 2024, and claims to have released the stolen data. HCF stated it first became aware of the unauthorized access on October 3, 2024, and immediately took measures to secure its network, engaging a computer forensic firm for assistance.

In breach notifications, HCF confirmed it had completed its investigation by November 19, 2024, determining the full scope of data potentially exposed. As of now, the organization is facing at least two federal class action lawsuits alleging negligence in protecting patient information.

An attorney for HCF has yet to comment on the lawsuits or whether ransomware specifically encrypted the organization’s data during the attack.

What was said

In their breach notification statement, Hempfield Manor explained that it learned of unauthorized access to its management company’s computer systems on October 3, 2024. “Upon identifying the issue, [the management company] took steps to secure its network and engaged a third-party computer forensic firm to assist with its investigation.”

The investigation revealed that the breach began on September 17, 2024, when an unknown third party gained access to the systems and acquired certain documents. By November 19, 2024, the management company determined that the compromised information varied for each individual but may have included names, addresses, phone numbers, dates of birth, Social Security numbers, medical treatment details, and health insurance information.

To mitigate the impact, the management company implemented measures to enhance its technical security and policies, sent notification letters to affected individuals, and arranged for complimentary identity theft protection services for those whose Social Security numbers were exposed. “Hempfield Manor takes its responsibility to safeguard personal information seriously and apologizes for any inconvenience or concern this incident might cause,” the company stated.

Read also: What are the HIPAA breach notification requirements

By the numbers 

• Total individuals affected: Approximately 70,000
• Largest single breach: Heritage Health Care, affecting 12,162 people
• Largest nursing facility breach: Hempfield Manor in Pennsylvania, impacting 4,744 patients
• Data stolen: 250GB of sensitive information, according to RansomHub

See also: HIPAA Compliant Email: The Definitive Guide

FAQs

Why is the healthcare sector targeted by ransomware attackers?

Healthcare organizations store vast amounts of sensitive data, including medical records, Social Security numbers, and insurance information, which are valuable on the black market. Additionally, healthcare providers often operate on outdated systems with limited cybersecurity measures, making them easier targets.

Go deeper: Why healthcare is a major target for cyberattacks

What are the risks to patients during a ransomware attack?

Patients may face identity theft, financial fraud, loss of access to their medical records, delays in medical care, and long-term consequences if their sensitive information is exploited.

How can healthcare organizations prevent ransomware attacks?

Healthcare providers can strengthen cybersecurity by using updated software, implementing multi-factor authentication, training employees on recognizing phishing attacks, regularly backing up data, and conducting routine security audits.

In other news: GAO releases recommendations to prevent ransomware attacks