Ransomware attack on Memorial Hospital and Manor impacted over 120,000 patients

Bainbridge, Georgia-based Memorial Hospital and Manor said that the data security incident it suffered in November compromised the sensitive personal information of more than 120,000 individuals.

 

In November, the hospital said that its employees started receiving notifications of potential risks identified by its virus protection software. The healthcare provider immediately launched an investigation, with assistance from external cyber security experts, to determine the nature and scope of the incident.

 

The investigation revealed that the hospital had been a victim of a ransomware attack which affected its Electronic Health Record system.

 

In a data security incident notice filed with the Office of Maine Attorney General, the healthcare provider said that the sensitive personal information of its patients were assessed during the incident. This includes names, Social Security numbers, dates of birth, health insurance information, medical treatment data and history information. 

 

Memorial Hospital and Manor also said in its filing with the Maine state regulator that at least 120,085 individuals were impacted by the incident.

 

“As soon as Memorial discovered the incident, we took steps to secure our environment and enlisted a leading, independent cybersecurity firm to conduct a forensic investigation. We also reported the incident to the FBI and will cooperate with any resulting investigation. In addition, we have implemented several measures to enhance our security posture and reduce the risk of similar future incidents,” reads the notice.

 

While the healthcare provider found no evidence of the compromise data being misused, it has advised all affected individuals to regularly monitor their credit reports, account and benefit statements and report any suspicious activity to law enforcement authorities, including the police and the state attorney general. It has also offered one year of complimentary identity protection and credit monitoring services through IDX to all affected individuals.

 

The Embargo ransomware group has claimed responsibility for the cyber attack and listed the hospital as a victim on its data leak site. The group claims to be in possession of 1.15 TB of data stolen from the hospital’s network and gave the latter until November 8 to pay a ransom. The hospital did not mention if a ransom was paid.