The personal and healthcare data of up to 2 million patients has been compromised in a hacking incident at Shields Health Care Group. Shields Health Care Group provides MRI, PET/CT, ASC, radiation oncology and medical imaging services on behalf of healthcare providers, and operates more than 40 facilities in Massachusetts, Maine, and New Hampshire.
At present, the exact nature of the cyberattack has not been made public, but Shields Health Care Group says an unauthorized actor gained access to its systems between March 7 and March 21, 2022. According to that notice, Shields Health Care Group became aware that a security breach had occurred that potentially involved data theft on March 28, 2022; however, a previous security alert was generated on March 18, 2022. That earlier incident was investigated but it was not thought that any patient data had been exposed or accessed.
Shields Health Care Group has now confirmed that during the time the hackers had access to its network, certain files were copied from its systems, and those files contained patients’ personal and health information. The process of reviewing all the affected files is ongoing and notification letters will be sent to all affected individuals when that process is completed.
So far, the review has confirmed that the impacted HIPAA compliance data breach includes names, dates of birth, addresses, Social Security numbers, diagnoses, billing information, insurance numbers and information, medical record numbers, patient IDs, provider names, and other medical or treatment information. The patients affected by the security breach had received services at 56 facilities throughout New England, including hospitals and facilities operated by Shields Health Care Group.
At 2 million records this is the largest U.S. healthcare data breach to be reported so far in 2022, beating the previous record data breach at Broward Health that was announced in January. The Broward Health breach involved the protected health information of 1.3 million patients.