Shields Health Care Group data breach impacted more than 2.3 million patients

US medical services provider Shields Health Care Group (SHCG) has disclosed a data breach that compromised the sensitive personal information of more than 2.3 million people.

In a letter sent to affected individuals, SHCG said that on March 28, 2022, it identified suspicious activity in its internal network and immediately launched an investigation with assistance from third-party cyber security experts to understand the nature and scope of the security incident.

The investigation concluded that threat actors had access to Shields Health Care’s internal systems between March 7, 2022, and March 21, 2022, and had compromised certain personal information of its patients.

As per a data breach notification posted on SHCG’s website, the threat actors compromised personal information including social security numbers, dates of birth, home addresses, provider information, diagnosis, billing information, insurance numbers and information, medical record numbers, patient IDs, and other medical or treatment information.

A filing with the Office of the Maine Attorney General confirms that at least 2,380,483 individuals were impacted by the security incident. The healthcare provider reported the security incident to law enforcement and other relevant state and federal regulators and notified all impacted individuals about the incident.

“Shields takes the confidentiality, privacy, and security of information in our care seriously. Upon discovery, we took steps to secure our systems, including rebuilding certain systems, and conducted a thorough investigation to confirm the nature and scope of the activity and to determine who may be affected.

“Additionally, while we have safeguards in place to protect data in our care, we continue to review and further enhance these protections as part of our ongoing commitment to data security,” the data reach notice read.

Shields Health Care Group is providing all affected individuals with credit monitoring and identity theft protection services for 24 months. Also, it encouraged all to be vigilant against incidents of identity theft and fraud by reviewing their account statements and monitoring their credit reports for suspicious activity or errors.

Earlier this month, Illinois Gastroenterology Group (IGG) settled a class-action lawsuit filed against it for failing to prevent the breach of sensitive personal information of over 227,943 patients. IGG started notifying all affected individuals almost six months after the security incident took place.

Following this, a class action lawsuit was filed against the healthcare provider for failing to protect patients’ information, violating the Illinois Consumer Fraud and Deceptive Business Practices Act, and more.