Group Well being Middle (CHC), a number one Connecticut healthcare supplier, is notifying over 1 million sufferers of a data breach that impacted their private and well being knowledge.
The non-profit group supplies main medical, dental, and psychological well being providers to greater than 145,000 energetic sufferers.
CHC mentioned in a Thursday submitting with Maine’s legal professional basic that unknown attackers gained entry to its community in mid-October 2024, a breach found greater than two months later, on January 2, 2025.
Whereas the risk actors stole recordsdata containing sufferers’ private and well being data belonging to 1,060,936 people, the healthcare group says they did not encrypt any compromised methods and that the security breach did not affect its operations.
Investigators employed to evaluate the incident’s affect and safe CHC’s methods discovered that “a talented legal hacker” was behind the assault.
“Thankfully, the legal hacker didn’t delete or lock any of our knowledge, and the legal’s exercise didn’t have an effect on our day by day operations. We imagine we stopped the legal hacker’s entry inside hours, and that there isn’t a present risk to our methods,” CHC added.
Relying on the affected people, together with “present and former sufferers and all people who acquired a COVID check or vaccine at a CHC clinic,” the attackers stole a mixture of:
- private (names, dates of delivery, addresses, telephone numbers, emails, Social Safety numbers) or
- well being data (medical diagnoses, remedy particulars, check outcomes, and medical insurance.
A CHC spokesperson was not instantly out there when BleepingComputer reached out for extra particulars on the incident.
Whereas CHC mentioned the hackers did not encrypt any of its methods, extra ransomware operations have switched techniques to turn out to be knowledge theft extortion teams lately.
As an illustration, the BianLian ransomware gang steadily deserted file encryption after Avast launched a free decryptor in January 2023. A joint advisory issued by CISA, the FBI, and the Australian Cyber Safety Centre additionally confirmed this in November 2024.
This week, the New York Blood Middle (NYBC), one of many world’s largest impartial blood assortment and distribution organizations, additionally disclosed {that a} Sunday ransomware assault pressured it to reschedule some appointments.
Over the weekend, UnitedHealth additionally revealed that roughly 190 million Individuals had their private and healthcare knowledge stolen in final 12 months’s Change Healthcare ransomware assault, practically doubling the determine of 100 million disclosed in October.
In response to this surge of large healthcare security breaches, the U.S. Division of Well being and Human Providers (HHS) proposed updates to HIPAA (quick for Well being Insurance coverage Portability and Accountability Act of 1996) in late December to safe sufferers’ well being knowledge.