Data Breach at Anna Jaques Hospital Leaks Data of Over 300,000 Patients

Anna Jaques Hospital, a healthcare provider in Massachusetts, recently confirmed it suffered a ransomware attack on Christmas last year.

Vital healthcare provider targeted by ransomware attack

The ruthless attack led to the exposure of sensitive health data of over 310,000 patients. The not-for-profit organization provides healthcare services to the local communities of Merrimack Valley, North Shore, and southern New Hampshire.

With 83 beds, 200 physicians and 1,200 staff members, the hospital is recognized for its high-quality care, performing over 4,700 surgeries annually.

On Dec. 25 last year, hospital personnel identified a cyberattack that compromised various systems. Administrators swiftly isolated impacted systems and notified the authorities.

Money Message ransomware gang’s extortion tactics

Unfortunately, the damage was already done: a month later, the hospital found itself in the crosshairs of the notorious ransomware group Money Message.

The Money Message ransomware gang started publicly extorting Anna Jaques Hospital on January 19, 2024, posting excerpts of stolen data on their dark web portal. The infamous group demanded ransom in exchange for not releasing the full dataset.

After AJH administrators refused to negotiate with the perpetrators, the group dumped the entire cache of stolen data on their ransomware platform.

A thorough investigation revealed leaked data

As revealed through a thorough forensic investigation completed Nov. 5, the data included:

• Demographic details
• Medical and health insurance information
• Financial information
• Social Security Numbers (SSNs)
• Driver's license numbers
• Other personal or health-related data

The investigation involved a meticulous manual review of affected documents. Unfortunately, this thorough approach contributed to a delay in confirming the full impact of the breach.

AJH states it found no evidence of fraud attempts

By the time AJH had notified the office of the Maine Attorney General and affected individuals on Dec 5, 2024, it was already clear that the data of 316,342 patients had been exposed.

Despite the breach, the hospital says it has no evidence that threat actors used the leaked data for fraudulent activities. However, the hospital took a proactive approach to supporting affected individuals, offering them 24 months of complimentary identity protection and credit monitoring services.

Being prepared for when disaster strikes

More and more individuals entrust their personal information to various organizations, from healthcare providers to financial institutions. Unfortunately, data breaches—such as the one that resulted from Anna Jaques Hospital’s ransomware attack—can jeopardize this sensitive information, with no fault on the part of patients or customers.

Dedicated services like Bitdefender Digital Identity Protection offer continuous monitoring of online personal information across both the public and Dark Web, providing real-time alerts of data breaches involving your data and enabling swift action to mitigate potential identity theft or fraud.