A healthcare system with services in 17 Pennsylvania counties says a ransomware incident last year allowed unknown actors to access sensitive patient information such as Social Security numbers, medical records, and health insurance information.
Wilkes-Barre-based Maternal and Family Health Services Inc. (MFHS) discovered the breach on April 4, 2022.
The sensitive patient information that could have been accessed also included dates of birth, patient account numbers, and driver’s license numbers, as well as payment and financial account information.
An investigation found unknown actors gained unauthorized access to the organization’s systems between Aug. 21, 2021, and April 4, 2022, according to the MFHS website.
“The data breach was wide-reaching and compromised the personal information of at least 461,000 patients,” according to legal papers referencing a submission MFHS made to the U.S. Secretary of Health and Human Services at the Office for Civil Rights.
But MFHS didn’t start notifying patients until nine months later in a Jan. 3, 2023, letter.
“Maternal and Family Health Services experienced a ransomware incident. During the typical ransomware incidents, cyber criminals try to lock an organization’s digital files in an attempt to get paid for digital key to unlock the files. We promptly launched an investigation, engaged a National Cybersecurity firm to assist in assessing the scope of the incident, and took steps to mitigate the potential impact to our community,” the letter said.
“Please note that there is no evidence at this time that any of your personal information has been misused as a result of this incident.”
Chris Izquierdo of Scranton says he is a victim of identity theft due to the data breach. Izquierdo is the lead plaintiff in a newly filed class action case in the Middle District of Pennsylvania, seeking damages and future protection from identity theft for those affected.
A complaint filed this month says MFHA downplayed the seriousness of the breach.
Since the Data Breach, Izquierdo has learned of at least five fraudulent credit card accounts being opened in his name, court papers say. Opening these accounts would have required knowledge of his personal information, such as name, date of birth, and Social Security number.
His credit score has decreased because the fraudulent accounts have outstanding balances and are accruing interest charges he is asked to pay. A utility service account has been opened using his information in Florida, where he has never lived.
Medical data is particularly valuable, according to the court filing, because criminals can use it to target victims with scams that take advantage of the victim’s medical conditions or settlements. It can be used to create fake insurance claims, allowing for the purchase and resale of medical equipment, or the information can be used to get prescriptions for illegal use or resale.
The theft can lead to inaccurate medical records, which could lead to misdiagnosis.
The Epoch Times asked MFHS for comment, but it did not respond by the time of publication.