New Hampshire clinic Access Sports Medicine and Orthopaedics this week confirmed it notified 88,044 people of a May 2024 data breach that compromised names, Social Security numbers, financial info, medical info, and health insurance info.
Ransomware gang Inc claimed responsibility for the attack on May 18, 2024.
The notice sent to affected patients states, “On May 10, 2024, Access Sports detected suspicious activity in our network environment. Upon discovery of this incident, Access Sports promptly took steps to secure our network and engaged a specialized cybersecurity firm to investigate the nature and scope of the incident. As a result of the investigation, Access Sports Medicine learned that an unauthorized actor accessed certain files and data stored within our network.”
Access Sports has not verified Inc’s claim. We do not yet know whether Access Sports paid a ransom, how much Inc demanded, or how attackers breached Access Sports’ network. Comparitech contacted Access Sports for comment and will update this article if it responds.
Eligible victims can sign up for free credit monitoring offered by Access Sports via Cyberscout. The enrollment deadline is 90 days from receipt of the notice letter.
Who is Inc Ransomware?
Inc Ransomware emerged in July 2023 and targets a wide range of victims in healthcare, education, and government. Its methods involve spear phishing and exploiting known vulnerabilities in software.
Comparitech researchers have tracked 47 confirmed ransomware attacks claimed by Inc, affecting more than 1.3 million records. Nearly 422,000 of those records came from healthcare companies. Inc’s biggest attack on healthcare was against Otolaryngology Associates LLC, which affected 316,82 records.
Inc also claimed responsibility for a recent attack on McLaren Health Care, which crippled the clinic’s computer systems for several weeks.
Inc has claimed another 117 ransomware attacks that haven’t been confirmed or acknowledged by victims.
Ransomware attacks on US healthcare
Ransomare attacks on hospitals, clinics, and other medical providers can lock down computer systems used to access to medical records, book appointments, pay staff, bill patients, communicate with patients, order drugs and equipment, and more. Targets are forced to pay a ransom to attackers for a key to unlock their systems, and/or for not selling or publishing stolen data.
In 2024 so far, we’ve logged 62 confirmed ransomware attacks on US healthcare companies, affecting more than 6.6 million records. This attack on Access Sports is the 12th-largest this year.
Other such attacks include those on North Cottage Program (Qilin), Turning Point of Central California (Abyss), Planned Parenthood of Montana (RansomHub), and Gramercy Surgery Center (Everest).
We recorded another 114 ransomware attacks on US healthcare companies that were claimed by hacker groups but not confirmed by targets.
About Access Sports Medicine and Orthopaedics
Access Sports Medicine and Orthopaedics consists of six locations in New Hampshire. Its services included treatment for sports injuries and concussions, MRIs, x-rays, physical and occupational therapy, and back pain management. Access Sports employs between 51 and 200 people, according to its LinkedIn profile.