Anna Jaques Hospital in Newburyport, Massachusetts, recently disclosed a ransomware attack that compromised the personal data of over 316,000 patients on Christmas Day 2023. While the hospital contained the attack and engaged cybersecurity experts to investigate, notification letters to affected individuals were not sent until December 2024, nearly a year later.
Data compromised in the breach includes sensitive medical, financial, and personal information, some of which has reportedly been published on the dark web.
The attack, attributed to the Money Message ransomware group, underscores the persistent vulnerabilities faced by healthcare institutions and the significant delays that can occur in breach reporting. Despite offering credit monitoring services to affected individuals, concerns remain over the timeliness of the hospital’s response and the long-term impact on patient trust.
Why It Matters: Cyberattacks on healthcare organizations pose serious risks, exposing sensitive patient data and threatening the integrity of critical systems. This incident highlights the importance of timely notification and robust cybersecurity practices to safeguard patient trust and minimize potential harm. By addressing the challenges posed by such breaches, institutions can improve resilience and ensure better protection for those they serve.
- Scale and Nature of the Breach: The ransomware attack compromised the data of 316,342 individuals, including names, medical records, Social Security numbers, and financial details. The Money Message ransomware group claimed responsibility, stealing 600GB of data, which has been publicly accessible since January 2024.
- Delayed Notifications: Despite identifying the breach in late 2023, the hospital issued patient notifications only in December 2024. This delay has drawn criticism for giving bad actors ample time to misuse the stolen data.
- Hospital Response: Anna Jaques engaged cybersecurity professionals to contain the breach, investigate the incident, and mitigate its impact. Affected individuals were offered two years of credit monitoring services, though experts note this may be insufficient given the data’s prolonged exposure.
- Data Published on the Dark Web: Following the hospital’s refusal to pay the ransom, the stolen data was leaked online in January 2024. The information remains accessible.
Mass. hospital still dealing with cyberattack – EMS 1
Personal information breached during Christmas 2023 cyberattack on Anna Jaques Hospital – WCVB