Wood River Health data breach exposed personal information of over 50,000 individuals

Wood River Health said the data security incident it suffered last year compromised the sensitive personal data of more than 50,000 individuals.

 

Based in Hope Valley, Rhode Island, Wood River Health is a non-profit community health center offering a range of services including primary care, behavioural health, and specialised services like orthopaedic physical therapy.

 

In a data security incident notice published on its website, WRH said that on May 29, it identified a data security incident involving an employee email account. The healthcare provider launched an investigation, with assistance from external cyber security experts, to determine the nature and scope of the incident.

 

“Through the investigation, we learned that an unauthorised actor accessed the email account and may have viewed or acquired certain information between August 8, 2024, and September 6, 2024,” WRH said.

 

The compromised data included names, dates of birth, Social Security numbers, patient account numbers, account numbers, employer assigned identification numbers, medical record numbers, diagnosis, health insurance group numbers, health insurance subscriber numbers, treatment information, electronic/digital signatures, username & passwords, and more.

 

In a filing with the Office of Maine Attorney General, WRH said that it has identified at least 54,926 individuals affected by the incident.

 

“In response to this event, prompt steps were taken to secure the email tenant and conduct a diligent investigation. Wood River Health recognises the evolving nature of cyber security and will continue to take steps to review and enhance safeguards in the future,” WRH added.

 

While the healthcare provider found no evidence of the compromise data being misused, it has advised all affected individuals to regularly monitor their credit reports, account and benefit statements and report any suspicious activity to law enforcement authorities, including the police and the state attorney general. 

 

It has also offered one year of complimentary identity protection and credit monitoring services through TransUnion to all affected individuals.

 

At the time of publishing, no known hacker group claimed responsibility for the cyber attack on WRH. The healthcare provider also did not share details on who was behind the attack, how much data was compromised, or whether it has received a ransom demand.