Data Breaches at Nursing Home Chain Impacted 70,000 Residents

Nursing home operators are notifying their residents of compromised data, as a result of a hacking incident involving Russian-speaking cybercriminal group RansomHub last fall.

Nearly 70,000 residents have been affected, with Ohio-based HCF Management hacked in October, according to a report from BankInfo Security. The operator is facing two federal class action lawsuits tied to the breach, both alleging claims that the HCF failed to secure patient information.

Besides HCF, 80-hospital bed and 107-bed long-term care facility Memorial Hospital and Manor, owned and operated by the Hospital Authority of the City of Bainbridge and Decatur County in Georgia, was also targeted in the attack, affecting IT systems for several days in November.

Advertisement

The ransomware attack is among hundreds reported last year that led to major health data breaches, most notably involving Change Healthcare, a subsidiary of UnitedHealth Group. Just last week, UHC announced that around 190 million people were estimated to have had their data stolen, a much higher number than had been previously thought, according to another report from the Wall Street Journal.

Last year, the health care sector ranked third in the number of ransomware attacks, following manufacturing and professional services industries, according to a research report from security firm Black Kite. About 4% of ransomware attacks in the health care sector occurred at nursing homes and assisted living communities, the firm found.

HCF manages more than two dozen skilled nursing facilities across Ohio and Pennsylvania, along with a home health care unit.

Advertisement

HCF on Jan. 9 submitted at least 25 data breach reports to state and federal regulators. HCF took steps to secure its network and hired an external computer forensic firm after learning on Oct. 3 that a third party had gained unauthorized access to its management company computer systems.

RansomHub published resident information, including names, addresses, phone numbers, date of birth, Social Security numbers, health insurance information and medical treatment information, on Oct. 29.

Companies featured in this article:

, , , , ,