On Christmas, December 2023, Anna Jaques Hospital (AJH) in Massachusetts was grappling with a cyberattack that knocked out their EHR system and resulted in them having to divert ambulances to other area hospitals. On January 23, they posted a preliminary website notice (archived) about the attack.
That notice was posted four days after threat actors known as Money Message had added AJH to their dark web leak site with a claim of having exfiltrated 600 GB of data. Money Message provided numerous screenshots of files with personal and protected health information, and on January 22, they gave the hospital a deadline of January 26 to pay.
On January 26, the threat actors updated their listing by simply posting a new link to an onion URL for the data dump.
AJH Provides Updated Notice
Following AJH’s January 23 notice, there were no updates from AJH until now. On December 5, AJH notified the Maine Attorney General’s Office that a total of 316,342 people were affected by the breach. Their notice included a copy of their notification to patients. AJH also posted an updated notice on their website.
The updated website notice repeats earlier information, including that the type of information impacted may vary per individual but could include demographic information, medical information, health insurance information, Social Security number, driver’s license number, financial information, and other personal or health information that the patient had provided Anna Jacques.
A closer reading of the notification to patients raises a number of questions about the hospital’s transparency, however. The letter states:
As part of the investigation, we engaged leading third-party cybersecurity experts experienced in handling these types of incidents. The investigation aimed to determine the extent of the activity, and whether individual personal information, if any, may have been accessed or acquired by an unauthorized third party. On November 5, 2024, the investigation determined certain files containing your information were potentially accessed by an unauthorized party.
“Certain files containing your information were potentially accessed”? Why didn’t they tell patients that their files were not only actually accessed but were actually exfiltrated and leaked publicly?
Why did they suggest that they were notifying patients out of an abundance of caution when notification was required by law and data with PHI had been leaked publicly?
DataBreaches emailed Beth Israel Leahy Health’s media contact to ask a number of questions, including why AJH had not told patients that data had been leaked on the dark web.
They did not reply.
DataBreaches is not accusing AJH of violating any law or regulation. HIPAA does not seem to require full transparency about incidents that would include telling patients when their information was definitely acquired or leaked on the internet. It’s high time federal and state breach notification laws did require fuller transparency so that patients can more accurate gauge their risk.