Morris Hospital & Healthcare Centers (Morris Hospital) has issued a notification concerning a cybersecurity incident they discovered on April 4. The incident affects current and former patients of Morris Hospital and current and former employees and their dependents or beneficiaries.
According to their explanation, their forensic investigation determined that “just prior to the incident,” data was exfiltrated to an external storage platform by an unauthorized individual or individuals. The exported files contained records with the names, addresses, dates of birth, social security numbers, medical record numbers and account numbers, and diagnostic codes of current and former healthcare patients at Morris Hospital AND the names, addresses, social security numbers, and dates of birth of current and former employees and their dependents and beneficiaries.
If the export of data was “just prior to the incident,” then what was the actual incident? The notice doesn’t clearly state what the incident was, but for reasons described below, it appears to have been a ransomware incident.
Morris Hospital reports that in response to the incident, it immediately reset passwords for all employee accounts and suspended mobile email access. In addition, they identified and removed malicious files, and enhanced their monitoring, logging, and detection capabilities.
The notice states that it does not have any information to suggest that any personal information has been used inappropriately or without authorization. The website notice does not disclose that the Royal Ransomware group claimed responsibility for this breach on May 22 and added the hospital to its leak site. Since then, Royal has leaked more than 1 TB of data from the hospital.
Perhaps the only thing that is saving patients and employees from potentially more harm is the painfully slow downloads of the leaks from Royal’s server. DataBreaches has yet to obtain all of the data to analyze it to see what is in it, but if Morris Hospital knows that patient data and employee/beneficiary data has been leaked, shouldn’t they have told those being notified? There’s no law that requires it be disclosed, but as a matter of transparency — and if one really cares about their patients and employees — DataBreaches believes they are entitled to full disclosure and that such disclosure should be mandatory, not discretionary or optional.
This incident does not yet appear on HHS’s public breach tool, so we do not know the total number reported to them yet, but the hospital did file a report with the Maine Attorney General’s Office that says a total of 248,943 people were affected.