With ransomware attacks reaching record numbers, and more than a billion stolen passwords for sale on the dark web, I’m constantly amazed that there aren’t more data breaches, if I’m honest. Not that it makes it any the less shocking when a healthcare provider discloses that the medical records of a million patients have been compromised. Here’s what we know about the Community Health Center security incident.
More Than A Million Medical Records Stolen
In a Jan. 30 filing to the Office of the Maine Attorney General, Connecticut-based healthcare provider Community Health Center has disclosed a data breach, first discovered Jan. 2, has impacted more than a million patients following a successful attack by unknown threat actors who gained access to its networks.
In a letter to impacted patients, seen by this reporter, Mark Masselli
president and CEO at Community Health Center, Inc., said, that investigators had determined that “a skilled criminal hacker got into our system and took some data, which might include your personal information.” This doesn’t appear to have been a ransomware attack, as Masselli said no data was deleted or encrypted, and the hack didn’t impact healthcare operations. “We believe we stopped the criminal
hacker’s access within hours,” Masselli said, “and that there is no current threat to our systems.”
There is, however, the small matter of the files that the hacker stole: files containing “patients’ personal and health information belonging to 1,060,936 individuals.” The stolen data is understood to include:
- Patient Names
- Dates of Birth
- Contact Information
- Social Security Numbers
- Medical Diagnoses
- Treatment Details
- Test Results
- Health Insurance Details
A Medical Records Nightmare
“This incident highlights the urgency of securing healthcare infrastructures—protecting not just patient data, but the broader ecosystem of communication, collaboration, and care delivery,” Emily Phelps, a director at Cyware, said, “Incidents in this sector underscore the ongoing risks healthcare providers face, with attackers gaining access to sensitive data like names, medical diagnoses, and insurance details.”
Masselli, meanwhile, said that Community Health Center had “strengthened our security and added special software to watch for suspicious activity,” although this will be of cold comfort to those patients whose medical records have been compromised. Given that the attacker also has access to names, dates of birth and health insurance details, this could be an extortion nightmare waiting to unfold.
