Hawaii-based community clinic says ransomware attack affected over 120,000 patients

The Community Clinic of Maui in Hawaii said it recently experienced a data security incident that compromised the sensitive personal information of more than 120,000 individuals.

 

In a filing with the Office of Maine Attorney General, Community Clinic of Maui, doing business as Malama I Ke Ola Health Center, said that on May 7, it identified suspicious activities that affected connectivity to its internal network.

 

The healthcare clinic immediately launched an investigation, with assistance from external cyber security experts, to determine the nature and scope of the incident, took steps to recover the affected systems and notified law enforcement about the attack.

 

“After an extensive forensic investigation and comprehensive document review, on August 7, 2024, we determined your personal data may have been subject to unauthorised access and acquisition between May 4, 2024 and May 7, 2024,” the clinic said in a letter appended to its regulatory filing.

 

It said the compromised data included patients’ names, Social Security Numbers, dates of birth, driver’s licence numbers, state identification numbers, passport numbers, financial account information, login information, medical diagnosis, clinical Information, biometric data and more.

 

Community Clinic of Maui’s filing with the Attorney General also revealed that at least 123,882 individuals were impacted by the data security incident.

 

While the Clinic found no evidence of the compromised information being misused, it advised all affected individuals to regularly monitor their credit reports, account and benefit statements and report any suspicious activity to law enforcement authorities, including the police and state attorney general.

 

In June, the LockBit ransomware group claimed responsibility for the cyber attack on Malama I Ke Ola Health Center and listed it as a victim on its data leak site. The group gave a deadline of June 11 for the Clinic to meet its ransom demands, threatening to leak the stolen data if the ransom wasn’t paid.

 

 

The clinic is yet to share details on the amount of ransom demanded by LockBit, whether it paid the ransom, or how attackers breached its internal network.