Anna Jacques Hospital Ransomware Breach Hits 316K Patients – Source: www.infosecurity-magazine.com

One of Massachusetts’ leading hospitals has revealed the extent of a serious ransomware breach that took place almost a year ago.

Anna Jacques Hospital is a non-profit, 119-bed community hospital based in Newburyport, serving the North Shore, Merrimack Valley and Seacoast region.

According to a new data breach notification letter published on its website, the non-profit discovered the incident on around Christmas Day (December 25) 2023.

“After a thorough forensic investigation and manual document review, on November 5, 2024, the investigation determined certain files containing information was accessed by an unauthorized party,” it noted.

“The impacted information varies per individual; however, it may include demographic information, medical information, health insurance information, Social Security number, driver’s license number, financial information, and other personal or health information that you provided Anna Jacques.”

Read more on hospital ransomware breaches: INC Ransom Claims Cyber-Attack on UK Children’s Hospital

The hospital claimed that there’s no evidence of fraud occurring as a result of the incident, but said it was notifying individuals from December 6 onwards “out of abundance of caution.”

It also urged patients and employees to “remain vigilant in reviewing financial account statements on a regular basis for any fraudulent activity.”

The Office of the Maine Attorney General’s website, where the letter was also posted, revealed the total number of victims as 316,342.

They have been offered a complementary two-year membership of IdentityWorks Credit 3B for credit report monitoring, identity theft protection and dark web monitoring.

Given its low tolerance for outages and the wealth of personal, financial and insurance data it stores, the healthcare industry remains a popular target for ransomware actors.

Barracuda Networks research from August claimed that more than a fifth (21%) of ransomware attacks targeted healthcare organizations over the previous 12 months, up from 18% from the previous year.

It’s unclear why it took the hospital, which is part of Beth Israel Lahey Health, so long to notify victims of the attack.

Given that the Money Message ransomware group that attacked it leaked all the data it stole in January 2024, threat actors and fraudsters have theoretically had plenty of time to monetize it.