DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Anna Jaques Hospital notifies 316,300 people about 2023 ransomware attack

Posted on December 7, 2024 by Dissent

On Christmas, December 2023, Anna Jaques Hospital (AJH) in Massachusetts was grappling with a cyberattack that knocked out their EHR system and resulted in them having to divert ambulances to other area hospitals. On January 23, they posted a preliminary website notice (archived) about the attack.

That notice was posted four days after threat actors known as Money Message had added AJH to their dark web leak site with a claim of having exfiltrated 600 GB of data. Money Message provided numerous screenshots of files with personal and protected health information, and on January 22, they gave the hospital a deadline of January 26 to pay.

On January 26, the threat actors updated their listing by simply posting a new link to an onion URL for the data dump.

On January 26, Money Message posted a link to the data dump. That link is no longer live. Image: DataBreaches.net

AJH Provides Updated Notice

Following AJH’s January 23 notice, there were no updates from AJH until now. On December 5, AJH notified the Maine Attorney General’s Office that a total of 316,342 people were affected by the breach. Their notice included a copy of their notification to patients. AJH also posted an updated notice on their website.

The updated website notice repeats earlier information, including that the type of information impacted may vary per individual but could include demographic information, medical information, health insurance information, Social Security number, driver’s license number, financial information, and other personal or health information that the patient had provided Anna Jacques.

A closer reading of the notification to patients raises a number of questions about the hospital’s transparency, however. The letter states:

As part of the investigation, we engaged leading third-party cybersecurity experts experienced in handling these types of incidents. The investigation aimed to determine the extent of the activity, and whether individual personal information, if any, may have been accessed or acquired by an unauthorized third party. On November 5, 2024, the investigation determined certain files containing your information were potentially accessed by an unauthorized party.

“Certain files containing your information were potentially accessed”?   Why didn’t they tell patients that their files were not only actually accessed but were actually exfiltrated and leaked publicly?

Why did they suggest that they were notifying patients out of an abundance of caution when notification was required by law and data with PHI had been leaked publicly?

DataBreaches emailed Beth Israel Leahy Health’s media contact to ask a number of questions, including why AJH had not told patients that data had been leaked on the dark web.

They did not reply.

DataBreaches is not accusing AJH of violating any law or regulation. HIPAA does not seem to require full transparency about incidents that would include telling patients when their information was definitely acquired or leaked on the internet. It’s high time federal and state breach notification laws did require fuller transparency so that patients can more accurate gauge their risk.

Category: Breach IncidentsCommentaries and AnalysesHealth DataMalwareU.S.

Post navigation

← Veterans Affairs’ Nurse Charged With Unlawfully Accessing Patient Health Information
Hoboken NJ cyberattack by 3AM was “massive” →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Lower Merion School District says a data breach was caused by a computer glitch
  • After $1 Million Ransom Demand, Virgin Islands Lottery Restores Operations Without Paying Hackers
  • Junior Defence Contractor Arrested For Leaking Indian Naval Secrets To Suspected Pakistani Spies
  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up
  • U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams
  • Victoria’s Secret takes down website after security incident

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.