Mount Carmel Care Center this week confirmed it notified 2,375 people of an August 2023 data breach that compromised names, Social Security numbers, bank account numbers, routing numbers, bank names, dates of birth, payment card information, medical information, health insurance information, and employee identification.
Ransomware group Medusa claimed responsibility for the attack in October 2023, and demanded $300,000 in exchange for not selling or publicly releasing stolen data.
Mount Carmel has not verified Medusa’s claim. We do not yet know whether Mount Carmel paid a ransom, how attackers breached its network, or why it took nearly a year to notify victims. Comparitech contacted Mount Carmel for comment and will update this article if it responds.
The notice states, “… the network had been accessed by an unknown actor between August 17, 2023 and October 15, 2023, and during this time files were copied. As a result, we conducted a detailed review of the files to determine the type of information present and to whom it related. On June 6, 2024 we completed the review.”
The notice does not offer victims free credit monitoring or identity theft protection.
Who is Medusa?
Medusa first surfaced in September 2019 and debuted its leak site in February 2023, where it publishes stolen data of victims who don’t pay ransoms. Medusa often uses a double-extortion approach in which victims are forced to pay twice: once to decrypt their systems, and once for not selling or publishing stolen data.
Since the start of 2023, Comparitech researchers logged 84 confirmed ransomware attacks claimed by Medusa that have affected more than 246,000 records. The average ransom across all of these attacks was $740,000.
Of those attacks, 11 were against healthcare companies with an average ransom of $386,400.
Medusa has claimed another 97 ransomware attacks that haven’t been confirmed.
Ransomware attacks on US healthcare
In addition to data theft, ransomware attacks on hospitals, clinics, and other healthcare-related companies can disrupt operations and lead to life-threatening consequences. Targeted organizations are forced to pay a ransom to restore their systems and avoid the sale or publication of stolen data.
In 2024 so far, Comparitech recorded 56 confirmed ransomware attacks on US healthcare entities, with an average ransom of $825,000. Another 109 such attacks have been claimed by attackers but not confirmed by targets.
Medusa was responsible for attacks on Radiosurgery New York, Sutton Dental Arts, and Woodfords Family Services.
About Mount Carmel Care Center
MCCC is a nursing home in Lenox, Massachusetts that offers long-term care, short-term rehabilitation, and respite care. According to its LinkedIn page, it was founded in 2013 and employees between 51 and 200 people.