A cyberattack on Shields Health Care Group Inc. may have compromised the identity and medical information of approximately 2 million people, the imaging and outpatient surgical center company disclosed.
Shields said the compromised data could include full names, social security numbers, dates of birth, home addresses, provider information, diagnoses, billing information, insurance numbers and information, medical record numbers, patient IDs, and other medical or treatment information. Shields said it is still conducting a review of the impacted data, and didn’t have evidence that any of the information from the incident was used to commit identity theft or fraud.
Shields said it notified federal law enforcement, would report the incident to state and federal regulators, and planned to directly notify impacted individuals where possible after it completes a review. The company notified federal officials of the breach on May 27.
Heath Renfrow, co-founder of FENIX24, a Tennessee-based cybersecurity restoration company, said there has been a steady increase of cyberattacks since 2015, particularly on health care. Hackers typically use stolen data to ransom companies for money, or they sell it on the dark web.
Sanctions on Russia temporarily slowed cyberattacks, Renfrow said, as they prevented many Russia-based attackers from getting paid. But attacks are now on the rise again as actors pivot to partner with ransomware groups not subject to sanctions.
“Health care has a soft underbelly,” Renfrow said. “It’s an easy target.”
Shields said on its website that it had first identified a security alert around March 18 but hadn’t discovered any data theft. The company then was alerted to suspicious activity on March 28 that may have involved a data compromise. A subsequent investigation showed that an unknown actor gained access to Shields systems from March 7 to March 21, and had acquired data.
“Shields takes the confidentiality, privacy, and security of information in our care seriously,” the company wrote in a memo on its website. “Upon discovery, we took steps to secure our systems, including rebuilding certain systems, and conducted a thorough investigation to confirm the nature and scope of the activity and to determine who may be affected. Additionally, while we have safeguards in place to protect data in our care, we continue to review and further enhance these protections as part of our ongoing commitment to data security.”
A company spokesperson did not immediately respond to requests for comment.
The breach was first reported by Health IT Security.
The breach may have impacted over 50 health care facilities, including a number of health systems and hospitals throughout the state that receive management and imaging services from Shields. The list of potentially affected facility partners included UMass Memorial Health, Baystate Health, and Tufts Medical Center.
Details of the breach come just a week after FBI Director Christopher Wray disclosed at a cybersecurity conference that the federal agency had thwarted an attempted cyberattack on Boston Children’s Hospital last year by a hacker group sponsored by the Iranian government.
Hospitals have been on high alert since March, due to security concerns as the war in Ukraine continues, as well as security breaches on health care companies last year.