How Hackers Stole Personal Data Of 2 Million Americans From Shields Health Care

hackers stole personal info 2m americans shields news
Personal information is also valuable information, as personal data in the wrong hands can empower cybercriminals to commit identity theft and fraud. However, even those who take important steps to secure their personal information can have it exposed when an employer, health care provider, government agency, or other organization is breached. More data breaches occur every single day than we could possibly cover, so we have to stick with reporting on the high profile cases.

Back in March, the Conti ransomware gang breached Parker Hannifin Corporation’s internal systems, potentially exposing the personal information of its current and past employees, as well as their families. Another notable data breach occurred in March, but is only now being disclosed. Shields Health Care Group, a healthcare provider based in Massachusetts and specializing in the use of magnetic resonance imaging (MRI) technology, has published a data security incident notice to its website. 

hackers stole personal info 2m americans shields upclose news

According to the notice, Shields “identified and investigated a security alert on or around March 18,” but didn’t confirm any data theft at that time. It was only until March 28 that the healthcare provider became aware of suspicious activity that possibly involved data compromise, prompting Shields to launch a further investigation with the help of cybersecurity experts. The investigation revealed that between March 7 and 21, an unknown actor had unauthorized access to certain Shield systems and acquired data from these systems.

While the notice doesn’t provide numbers, the US Department of Health and Human Services (HHS) Office for Civil Rights says this data breach affected 2 million individuals. All these individuals may have had the following information stolen: 
  • Full name
  • Social Security number
  • Date of birth
  • Home address
  • Provider information
  • Diagnosis
  • Billing information
  • Insurance number and information
  • Medical record number
  • Patient ID
  • Other medical or treatment information
Shields is currently conducting an ongoing review of the impacted data, but, so far, the healthcare provider has no evidence that any of the information involved in the breach has been used for identity theft or fraud. Nonetheless, Shields still encourages impacted individuals to consider taking steps to protect their information and accounts, including ordering a credit report, setting up credit fraud alerts, and placing credit freezes. Information about these steps is provided in the notice. The healthcare provider will directly contact those who have been impacted, once the review has been completed. Shields has already reported this incident to federal law enforcement and plans to notify relevant state and federal regulators, as well.

The notice contains the following statement regarding the steps Shields has taken in response to this incident: “Shields takes the confidentiality, privacy, and security of information in our care seriously.  Upon discovery, we took steps to secure our systems, including rebuilding certain systems, and conducted a thorough investigation to confirm the nature and scope of the activity and to determine who may be affected. Additionally, while we have safeguards in place to protect data in our care, we continue to review and further enhance these protections as part of our ongoing commitment to data security.