Anna Jaques Hospital in Massachusetts yesterday confirmed it notified 316,342 people about a December 2023 data breach that compromised the following patient info:
- Name
- Social Security number
- Demographic info
- Medical info
- Health insurance info
- Driver’s license number
- Financial info
- “Other” personal or health info
Ransomware gang Money Message claimed responsibility for the attack, saying it stole 500 GB of data from Anna Jacques. The group posted scans of what it says are stolen documents as proof of the hack, including intake forms, diagnoses, imaging orders, patient health summaries, and consent forms.
Anna Jaques has not verified Money Message’s claim. We do not yet know whether the hospital paid a ransom, how much Money Message demanded, or how attackers breached the hospital’s network. Comparitech contacted Anna Jacques for comment and will update this article if it responds.
The attack occurred on Christmas day, 2023 and caused an outage of the hospital’s medical record system. Ambulances were diverted to other hospitals as a result. Anna Jaques on January 24, 2024 announced on its website that it was the victim of a cyber attack, but it took nearly a year to directly notify victims.
Anna Jaques’ notice to victims states, “On or about December 25, 2023, Anna Jaques experienced a cybersecurity incident that affected certain systems within our network envirionment, and caused a disruption to some of our operations.”
Notably, the hospital’s notice does not offer victims free credit monitoring or identity theft protection, which is the status quo when a company leaks its customers’ Social Security numbers.
Who is Money Message?
Money Message is a ransomware group that first emerged in 2023. It has claimed eight confirmed ransomware attacks since, mostly in its debut year. Its only attack in 2024 was against Insurance Agency Marketing Services in March.
The group also claimed responsibility for a large breach of 5.8 million records at PharMerica (BrightSpring Health) in April 2023.
Money Message has claimed another 12 unconfirmed attacks that weren’t acknowledged by targets.
Ransomware attacks on US healthcare
Ransomware attacks on hospitals, clinics, and pharmacies can steal data and lock down computer systems used for everything from accessing medical records to bill payments. Providers might be forced to cancel appointments and switch to pen-and-paper processes until a ransom is paid to unlock their computer systems.
So far in 2024, Comparitech researchers tracked 131 confirmed ransomware attacks on US hospitals, clinics, and other healthcare providers, affecting 117.5 million records. In 2023, we recorded 174 such attacks affecting 49.6 million records.
Other recently confirmed attacks on US healthcare include RATeam’s breach of Rockford Gastroenterology Associates from December 2023. Rockford notified 147,253 breach victims.
Last month, Southern Oregon Veterinary Specialty Center, American Associated Pharmacies, and Medica Corporation all fell victim to ransomware attacks.
About Anna Jacques Hospital
Anna Jacques Hospital is a 119-bed hospital in Newburyport, Massachusetts offering patients primary and emergency care. It is part of Beth Israel Lahey Health, a system of hospitals in the Eastern part of the state.
