BOSTON (AP) — A digital attack on a Massachusetts-based health care organization may have compromised the personal information of as many as 2 million people, officials said.
Shields Health Care Group Inc., which provides imaging and outpatient surgery services in dozens of locations, said in a notice on its website Tuesday that data including names, Social Security numbers, dates birth and medical or treatment details are among the information that may have been compromised.
The violation was reported to federal law enforcement and the US Department of Health and Human Services Office for Civil Rights. This agency indicated on its website that 2 million people have been affected. An FBI spokesperson said the agency had no comment.
Shields said he “was alerted to suspicious activity that may involve a data compromise” on March 28 and immediately began investigating.
“This investigation determined that an unknown actor had access to certain Shields systems from March 7, 2022 through March 21, 2022,” the company said. “In addition, the investigation revealed that some data had been acquired by the unknown actor within this time frame. “
There is no evidence that any of the compromised information was used to commit identity theft or fraud, Shields said in a statement Wednesday.
“Shields takes the privacy, confidentiality and security of information entrusted to us seriously,” the website’s notice reads. “Upon discovery, we took steps to secure our systems, including rebuilding some systems, and conducted a thorough investigation to confirm the nature and scope of the activity and to determine who may be affected.”
The company’s review is ongoing and once it is complete, those directly affected will be notified, officials said.
Shields, based in Quincy, has about 40 locations, mostly in Massachusetts but also in New Hampshire and Maine.
Shields also included a list of dozens of facility partners who may have been affected, including Tufts Medical Center, Central Maine Medical Center and UMass Memorial.
FBI Director Christopher Wray told a cybersecurity conference at Boston College this month that the agency foiled a planned attack on Boston Children’s Hospital that was to be carried out by hackers sponsored by the Iranian government.
Healthcare is classified by the US government as one of 16 critical infrastructure sectors, and healthcare providers are considered ripe targets for hackers.
Copyright 2022 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed without permission.