Anna Jaques Hospital ransomware breach exposed data of 300K patients

Anna Jaques Hospital has confirmed on its website that a ransomware attack it suffered almost precisely a year ago, on December 25, 2023, has exposed sensitive health data for over 310,000 patients.

Anna Jaques is a not-for-profit community hospital in Massachusetts, recognized for delivering high-quality care and performing over 4,700 surgeries yearly.

As a mid-size acute hospital providing 83 beds, 200 physicians, and 1,200 staff members, AJH plays a crucial role in Merrimack Valley, North Shore, and southern New Hampshire, providing essential healthcare services to the local population.

In 2023, at Christmas time, Anna Jaques learned that a cyberattack had impacted specific systems and took immediate action to contain the damage by taking them offline and alerting law enforcement.

The healthcare organization launched an investigation on January 24, 2024, a few days after the 'Money Message' ransomware group began publicly extorting the hospital on January 19.

The threat actors leaked data samples allegedly stolen from Anna Jaques on their dark web extortion site, threatening to expose sensitive patient information if their demands weren't met.

Subsequent updates on the Money Message page showed that the hospital's administrators didn't engage with the threat actors, and the situation culminated with the release of all data on January 26.

Anna Jaques states that the forensic investigation into what the threat actors had stolen was thorough and lengthy, involving manual document review, so it was only completed on November 5, 2024.

According to the related entry on the Office of the Maine Attorney General, where Anna Jaques posted a sample of the notification it sent to affected individuals yesterday, the incident has impacted 316,342 patients.

According to its results, the following information has been exposed:

• Demographic information
• Medical information
• Health insurance information
• Social Security number
• Driver's license number
• Financial information
• Other personal or health information provided to Anna Jacques

"Anna Jaques has no indication that there has been any fraud as a result of this incident," reads the announcement.

"However, out of an abundance of caution, commencing on December 5, 2024, Anna Jaques notified individuals whose information may have been impacted as a result of the incident to the extent Anna Jaques had their address."

"Additionally, Anna Jaques reminds its employees and patients to remain vigilant in reviewing financial account statements on a regular basis for any fraudulent activity."

Those impacted are offered 24-month-long identity protection and credit monitoring services through Experian and 1B and are urged to consider placing a fraud alert or security freeze on their credit file.