DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Anna Jaques Hospital notifies 316,300 people about 2023 ransomware attack

Posted on December 7, 2024 by Dissent

On Christmas, December 2023, Anna Jaques Hospital (AJH) in Massachusetts was grappling with a cyberattack that knocked out their EHR system and resulted in them having to divert ambulances to other area hospitals. On January 23, they posted a preliminary website notice (archived) about the attack.

That notice was posted four days after threat actors known as Money Message had added AJH to their dark web leak site with a claim of having exfiltrated 600 GB of data. Money Message provided numerous screenshots of files with personal and protected health information, and on January 22, they gave the hospital a deadline of January 26 to pay.

On January 26, the threat actors updated their listing by simply posting a new link to an onion URL for the data dump.

On January 26, Money Message posted a link to the data dump. That link is no longer live. Image: DataBreaches.net

AJH Provides Updated Notice

Following AJH’s January 23 notice, there were no updates from AJH until now. On December 5, AJH notified the Maine Attorney General’s Office that a total of 316,342 people were affected by the breach. Their notice included a copy of their notification to patients. AJH also posted an updated notice on their website.

The updated website notice repeats earlier information, including that the type of information impacted may vary per individual but could include demographic information, medical information, health insurance information, Social Security number, driver’s license number, financial information, and other personal or health information that the patient had provided Anna Jacques.

A closer reading of the notification to patients raises a number of questions about the hospital’s transparency, however. The letter states:

As part of the investigation, we engaged leading third-party cybersecurity experts experienced in handling these types of incidents. The investigation aimed to determine the extent of the activity, and whether individual personal information, if any, may have been accessed or acquired by an unauthorized third party. On November 5, 2024, the investigation determined certain files containing your information were potentially accessed by an unauthorized party.

“Certain files containing your information were potentially accessed”?   Why didn’t they tell patients that their files were not only actually accessed but were actually exfiltrated and leaked publicly?

Why did they suggest that they were notifying patients out of an abundance of caution when notification was required by law and data with PHI had been leaked publicly?

DataBreaches emailed Beth Israel Leahy Health’s media contact to ask a number of questions, including why AJH had not told patients that data had been leaked on the dark web.

They did not reply.

DataBreaches is not accusing AJH of violating any law or regulation. HIPAA does not seem to require full transparency about incidents that would include telling patients when their information was definitely acquired or leaked on the internet. It’s high time federal and state breach notification laws did require fuller transparency so that patients can more accurate gauge their risk.

Category: Breach IncidentsCommentaries and AnalysesHealth DataMalwareU.S.

Post navigation

← Veterans Affairs’ Nurse Charged With Unlawfully Accessing Patient Health Information
Hoboken NJ cyberattack by 3AM was “massive” →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • McLaren provides written notice to 743,131 patients after ransomware attack in July 2024
  • A state forensics lab was leaking its files. Getting it locked down involved a number of people.
  • CoinMarketCap Hacked, Scrambles to Remove Malicious Wallet Verification Popup
  • Montana Attorney General launches investigation into Lee Enterprises data breach
  • AT&T gets preliminary approval for $177 million data breach settlement
  • Aflac notifies SEC of breach suspected to be work of Scattered Spider
  • Former JBLM soldier pleads guilty to attempting to share military secrets with China
  • No, the 16 billion credentials leak is not a new data breach — a wake-up call about fake news (Updated)
  • Tonga’s health system hit by cyberattack (1)
  • Russia Expert Falls Prey to Elite Hackers Disguised as US Officials

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill
  • Officials defend Liberal bill that would force hospitals, banks, hotels to hand over data
  • US Judge Invalidates Biden Rule Protecting Privacy for Abortions
  • DOJ’s Data Security Program: Key Compliance Considerations for Impacted Entities
  • 23andMe fined £2.31 million for failing to protect UK users’ genetic data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.