A mental health clinic and community center in Taft, Texas yesterday confirmed it notified 45,357 people of a data breach that compromised their sensitive private info. Coastal Plains Community MHMR Center, which does business as Coastal Plains Community Center and Coastal Plains Integrated Health, says attackers breached its systems and potentially accessed the following information on November 12, 2023:
- Name
- Birth certificate
- Social Security number
- Driver’s license/government ID
- Passport number
- Medical record number
- Patient account number
- Medical provider name
- Health insurance information
- Clinical or treatment information
- Financial account information
- Taxpayer identification number
Ransomware group LockBit claimed responsibility for the attack shortly after it occurred, and gave Coastal Plains Community until January 10, 2024 to pay an undisclosed sum as ransom. In exchange, LockBit would agree not to sell stolen data or release it to the public.
Coastal Plains Community has not verified LockBit’s claims. We do not yet know whether Coastal Plains paid a ransom, or how much LockBit demanded.
Despite the sensitive nature of the breached info, Coastal Plains Community did not offer free credit monitoring or identity theft protection to victims, as is the status quo for breaches of this size and scope. Comparitech encourages victims to monitor their credit reports, financial accounts, taxes, and medical bills for signs of fraud.
Coastal Plains did not disclose how attackers breached its network. Comparitech contacted Coastal Plains for comment and will update this article if it responds.
Who is LockBit?
LockBit is one of the most prolific ransomware gangs of recent years. It’s responsible for hundreds of attacks, including several high-profile targets in healthcare, government, education, critical infrastructure, and the private sector. After law enforcement raid attacked LockBit’s infrastructure earlier this year, the group is starting to resurface.
So far in 2024, we tracked 57 confirmed attacks claimed by LockBit, affecting more than 7.8 million records. The majority (7.6 million) stem from its attack on Evolve Bank & Trust earlier this year.
In 2023, LockBit claimed responsibility for 214 confirmed ransomware attacks, impacting more than 17 million records and demanding an average ransom of nearly $18 million. 21 of those attacks were on healthcare companies.
Ransomware attacks on US healthcare
Hospitals, clinics, and other healthcare-related organizations are frequent targets for ransomware attacks. In addition to data theft, ransomware can disrupt key systems used for payments, appointments, medical records, and more. Hospitals and clinics might be forced to cancel appointments and divert patients elsewhere, or resort to pen and paper until systems are restored.
Comparitech researchers recorded 136 confirmed ransomware attacks on US healthcare providers in 2023, affecting 23,203,336 records. The average ransom was $1.4 million. LockBit claimed responsibility for 17 of these attacks, affecting more than 863,000 records. The biggest of these were the attacks on Panorama Eyecare (378,000 records) and United Medical Centers (127,000 records).
So far this year we’ve tracked 47 confirmed ransomware attacks on US healthcare, affecting 5,462,182 records. LockBit claimed responsibility for two of these — Ernest Health and Mālama I Ke Ola Health Center.
We’ve logged another 100 unconfirmed ransomware attacks on this sector so far in 2024.
About Coastal Plains Community
Coastal Plains Community Center and Coastal Plains Community Health both fall under the umbrella of Coastal Plains Community MHMR Center, a not-for-profit behavioral health center in Taft, Texas. The center serves people with intellectual and developmental disabilities across nine counties in rural south Texas.
According to its website, “The Center operates with a budget of $14,760,809 and serves approximately 3,400 Adults with severe and persistent mental illnesses, 1,000 Youths with serious emotional, behavioral or mental health disorders, and 450 intellectually developmentally delayed persons a year.”