Yale New Haven Health has notified more than 5.5 million people that their private details were likely stolen by miscreants who broke into the healthcare system’s network last month.
The organization is affiliated with Yale University and Yale School of Medicine. It is Connecticut’s largest provider of its kind, with five hospitals and medical clinics throughout the US state as well as New York and Rhode Island.
It disclosed it had suffered a “cybersecurity incident” on March 11, alerting patients and staff they may experience on-site phone and internet and application connectivity issues as a result of an IT breach a few days earlier. The healthcare system brought in Mandiant’s incident response team, which determined a cyberattack had indeed taken place, and also notified the Feds and law enforcement.
“Due to our team’s quick action to identify and help to contain this incident, it has not affected our ability to provide patient care,” the org said. “Our patient portal and electronic medical records are running as normal, and our teams are working hard to manage the impact of phone and internet connection issues on patient care.”
In a subsequent notice on its website, the healthcare giant provided a few more details, and admitted the intruders stole at least some patient data that, depending on the individual, may have included Social Security numbers; demographic info such as name, date of birth, address, telephone number, email address, race, or ethnicity; patient type; and medical record numbers.
The healthcare org said it began mailing letters to affected patients on April 14, and recently disclosed to the US govt’s Health and Human Services’ Office for Civil Rights that more than 5.5 million people will receive these letters: 5,556,702 to be exact. This makes it one of the biggest healthcare privacy breaches this year, if not the biggest.
The statements didn’t provide any additional details about what happened — how the crooks broke into the network, whether they encrypted any hospital files, and if they demanded a ransom payment. The Register asked the nonprofit about all of the above, and will update this story if and when we hear back.
However, bringing in the big guns — Google’s Mandiant, which is arguably the top incident response team and regularly called in to clean up ransomware infections and nation-state attacks, as well as federal authorities and the cops — indicates that this was serious. And ransomware crews do love to hit hospitals, which are more likely to cave to extortion demands so they can continue providing uninterrupted patient care.
“YNHHS’ electronic medical record and treatment information were not involved or accessed, and no financial account or payment information was involved in this incident,” according to the notice, which adds: “At no point did this incident impact our ability to provide patient care.”
It also assures folks it is not aware of miscreants using their personal details for identity theft or fraud. But, per usual with these types of compromises, YNHHS is providing free credit monitoring and identity protection services to anyone whose Social Security Number was stolen.
The Yale breach follows another major data leak involving another healthcare giant, Blue Shield of California, which this week disclosed it shared sensitive health information belonging to as many as 4.7 million members to Google’s advertising empire, likely without these individuals’ knowledge or consent. ®