Cyberattacks on NJ health tech firms expose millions of patient records

Millions of files compromised as two health care companies are hacked.

A data breach at New Jersey-based health tech company HealthEC LLC has breached the records of nearly 4.5 million patients across 18 US healthcare providers. The breach was discovered in October 2023 and reported to the Office of the Maine Attorney General on December 21, 2023. Hackers managed to access highly sensitive medical information.

It was first reported that 112,005 individuals were affected by the breach, but the figure rose to almost 4.5 million patients.

An unknown actor accessed some systems between July 14 and 23 2023, copying files including:

  • medical record numbers and medical data – including patients’ diagnosis, mental/physical condition and prescription information;
  • health insurance information – such as beneficiary number and Medicaid/Medicare identification;
  • billing and claims data – including patient account number and treatment cost information; and
  • personally identifiable information – such as name, address, date of birth, social security number, taxpayer identification number.

“We take this event, your privacy, and the security of information in our care very seriously. Upon learning of the suspicious activity, we moved immediately to investigate and respond,” Health LLC said in a statement. Since the breach, the company notified affected partners and customers, and federal law enforcement. They are also reviewing its existing policies and procedures relating to the information it holds.

The affected HealthEC LLC business partners and customers included:

  • Corewell Health;
  • HonorHealth;
  • University Medical Center of Princeton Physicians’ Organization;
  • Community Health Care Systems;
  • State of Tennessee, Division of TennCare;
  • Beaumont ACO;
  • KidneyLink;
  • Alliance for Integrated Care of New York, LLC;
  • Compassion Health Care;
  • Metro Community Health Centers;
  • Advantage Care Diagnostic & Treatment Center, Inc;
  • Long Island Select Healthcare;
  • Mid Florida Hematology & Oncology Centers, P.A – Mid-Florida Cancer Centers;
  • Illinois Heath Practice Alliance, LLC;
  • East Georgia Healthcare Center;
  • Hudson Valley Regional Community Health Centers; and
  • Upstate Family Health Center, Inc.

So far, no one has claimed responsibility for the attack.

Another New Jersey hack

Capital Health, a primary healthcare service provider in New Jersey and parts of Pennsylvania that operates two major hospitals and several satellite and specialty clinics, was also hacked last year.  

It noticed the incident at the end of November, as someone was hacking systems and causing IT outages. “Capital Health’s IT team took additional security measures to protect systems and worked around the clock to recover and restore our systems,” the firm said. “All systems have been restored and operations have returned to normal, while additional security measures have been implemented to prevent similar incidents from re-occurring.”

However, according to bleeping computer, the LockBit ransomware gang – the most active ransomware group in 2023 – recently claimed responsibility for the attack after listing the healthcare company on its data leak extortion portal.

Capital Health has not yet said how much data has been compromised, but LockBit stated on its site that it ”purposely didn’t encrypt this hospital so as not to interfere with patient care. We just stole over 10 million files. Over 7 terabytes of medical confidently data valued at $250,000.” The hackers had a deadline set for yesterday, January 9, for Capital Health to pay the ransomware – otherwise LockBit threatened to leak the data.

At the time of writing no data has been leaked.