Anna Jaques Hospital, based in Newburyport, Massachusetts, has informed more than 316,000 individuals about a data breach stemming from a cyberattack that occurred around Christmas 2023. The attack, carried out by the cybercriminal gang known as Money Message, reportedly involved the theft of 600 gigabytes of data, which was later posted on the gang’s dark web site in January 2024.
Details of the Incident
The hospital, part of the larger Beth Israel Lahey Health system, disclosed the breach to Maine state regulators on December 5, 2024. According to their report, the cyberattack occurred on or around December 25, 2023, and temporarily disrupted the hospital’s IT systems. While Anna Jaques Hospital first issued a public notice about the incident in January 2024, it wasn’t until November 5, 2024, that the hospital completed a forensic investigation and manual document review to determine the scope of the compromised data.
The hospital’s updated breach notice reveals that the affected data may include:
- Personal demographic details
- Medical information and diagnoses
- Health insurance information
- Social Security numbers
- Driver’s license and financial details
Despite these findings, the hospital has not acknowledged that the stolen data was published on Money Message’s dark web platform. The leaked records reportedly include sensitive information such as employee disciplinary files, patient vaccine records, and medical imaging orders.
Forensic Investigation and Response
Anna Jaques Hospital stated that upon detecting the breach, it secured its network, launched an investigation, and notified law enforcement. The hospital also engaged third-party cybersecurity experts to assist in the response. However, the timeline for completing the investigation—nearly a year—has raised questions among experts.
Challenges in Attribution and Analysis
Experts also noted that the investigation’s length could stem from limited logging capabilities or corrupted evidence left by the attackers. “If the ransomware attackers left minimal or compromised logs, it becomes significantly harder to determine what data was accessed or stolen,” said Scott Weinberg, CEO of Neovera.
The hospital’s response indicates that no fraud has been detected as a result of the breach. However, the fact that Money Message posted the stolen data online suggests that the hospital did not engage with the threat actors in ransom negotiations.
“Some organizations adopt a strict policy against negotiating with attackers,” Wichman noted. “While this stance is understandable, engaging with the attackers during negotiations can sometimes provide critical insights into what data has been compromised.”
Broader Implications for Healthcare Security
The timing of the attack—during the holiday season—aligns with a broader trend. A report from Semperis found that 72% of ransomware attacks target organizations during holidays or weekends, with the healthcare sector being particularly vulnerable.
This breach serves as a stark reminder of the persistent threats facing healthcare providers. Organizations must prioritize robust cybersecurity measures, including better logging capabilities and incident response strategies, to mitigate risks and improve their ability to respond to future attacks effectively.
0 Comments