Pierluigi Paganini December 09, 2024

Anna Jaques Hospital revealed that the ransomware attack it suffered last year has exposed sensitive health data for over 316,000 patients.

On December 25, 2023, a ransomware attack hit the Anna Jaques Hospital. The hospital revealed that the security breach exposed sensitive health data for over 316,000 patients.

Anna Jaques Hospital is a not-for-profit community healthcare facility located in Newburyport, Massachusetts. Serving the Merrimack Valley, North Shore, and Southern New Hampshire areas, it provides a range of medical services, including emergency care, maternity, oncology, cardiology, and orthopedic care. The hospital has 83 beds and a team of over 1,200 employees, including 200 physicians.

In 2023, upon discovering the cyber attack, the Anna Jaques Hospital took the impacted systems down and launched an investigation into the security breach.

On January 19, the Money Message ransomware gang added the healthcare organization to its Tor leak site claiming the theft of 600GB of sensitive data, including PII and diagnoses.

After the negotiation with the hospital failed, the Money Message group leaked the stolen data on January 26.

Anna Jaques Hospital completed the forensic investigation on November 5, 2024 and determined that the incident impacted 316,342 patients.

“Upon detecting the incident, we commenced an immediate and thorough investigation, contained the network, and alerted law enforcement. As part of the investigation, we engaged leading third-party cybersecurity experts experienced in handling these types of incidents. The investigation aimed to determine the extent of the activity, and whether individual personal information, if any, may have been accessed or acquired by an unauthorized third party. While we conducted our investigation, out of anbundance of caution, on Janurary 24, 2024, Anna Jaques posted a notice on ther website.” reads the notice of security incident shared with the Maine Attorney General. “After a thorough forensic investigation and manual document review, on November 5, 2024, the investigation determined certain files containing information was accessed by an unauthorized party.”

Exposed information varies per individual, however, it may include demographic information, medical information, health insurance information, Social Security number, driver’s license number, financial information, and other personal or health information that patients provided Anna Jacques.

The Anna Jaques Hospital is not aware of fraudulent abuse of stolen information, however

“Anna Jaques has no indication that there has been any fraud as a result of this incident. However, out of abundance of caution, commencing on December 5, 2024, Anna Jaques notified indivduals whose information may have been impacted as a result of the incident to the extent Anna Jaques had their address.” reads a statement published on the hospital’s website. “Additionally, Anna Jaques reminds its employees and patients to remain vigilant in reviewing financial account statements on a regular basis for any fraudulent activity. Anna Jaques also recommends that its patients review the explanation of benefits statements that they receive from their health insurance providers and follow up on any items not recognized.”

The hospital offered impacted individuals 24 Months, Experian and 1B credit monitoring.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Anna Jaques Hospital)