As DataBreaches recently reported, in June 2023, SysInformation Healthcare Services d/b/a EqualizeRCM discovered a ransomware attack. One year later, we still don’t know how many clients and patients were affected.
But SysInformation wasn’t the only entity that suffered a ransomware attack in June 2023 that hadn’t sent notifications by now.
Florida Community Health Centers (FCHC) notified the Maine Attorney General’s Office that on or around June 13, 2023, it noticed suspicious activity in its network. According to their notification letter, a copy of which was submitted to the state:
Due to the sparsity of the available evidence for review, FCHC was unable to confirm whether an unauthorized user was able to access or obtain any personal information pertaining to its patients or employees [….] On October 12, 2023, the investigation concluded that it was possible that an unauthorized user bypassed the access controls and accessed information within FCHC’s computer systems.
Because it was so difficult to determine whose data may have been accessed and who needed to be notified, FCHC posted a notice of the incident on the homepage of its website on November 20, 2023 as an interim notice.
The incident has now been reported as affecting a total of 296,635 people.
But why the sparsity of available evidence? DataBreaches emailed FCHC yesterday to inquire about that and to ask what ransomware group was responsible for the attack. There has been no reply. The incident has not yet shown up on HHS’s public breach tool, so we do not yet know the number of patients affected (it may be the number submitted to Maine or just a subset).