Singing River Health System (SRHS) has more than trebled its estimate of the number of persons affected by the ransomware attack it suffered in August 2023.
The health care provider now estimates that the total number of persons affected in the breach to be 895,204, up from an initial report of 252,890.
The company, operator of the Singing River Gulfport Hospital, Singing River Hospital in Pascagoula, and the Ocean Springs Hospital, all in Mississippi, disclosed the new total in a data breach notice filed with authorities in the state of Maine on Monday. It had to file a report there because 25 Maine residents were among the hundreds of thousands affected.
“On August 19, 2023, Singing River was the victim of a malicious and sophisticated ransomware attack,” SRHS said in the notice. “Singing River promptly took steps to secure its systems and, with the assistance of third-party forensic specialists, conducted an investigation to confirm the nature and scope of the incident.”
Impact larger than previously thought
The healthcare system first reported the breach in an August 31, 2023, disclosure.
Initially, the breach was reported to the US Department of Health and Human Services (HHS) Office for Civil Rights as affecting at least 501 individuals, promising a final number upon completion of internal and third-party investigations.
On December 18, 2023, SRHS confirmed the breach compromised data of 252890 patients, all of whom were notified through mails on January 12, 2023. Similar notifications were sent on May 13, 2024, this time to the 25 Maine patients, confirming the new estimate.
“Through the investigation, Singing River identified unauthorized access within its environment between August 16 and August 18, 2023,” SRHS said in the notice. “Although we have no indication of any misuse of your personal information as a result of this event, out of an abundance of caution, we are providing notice to individuals who may have been impacted.”
The attack was claimed by the Rhysida ransomware gang, a notorious threat group that has hacked other healthcare systems including the Lurie Children’s Hospital and Prospect Medical Holdings — although its targets have also included educational institutions, manufacturing industry, and the Chilean army, according to a report by the HHS Health Sector Cybersecurity Coordination Center.
Breached data include patient health information
The breach compromised personal as well as health data of Singing River patients, including name, date of birth, address, Social Security number, medical information, and health information.
“Singing River has no evidence that any of your information was used for identity theft or fraud,” the company said in the notice. “We encourage potentially impacted individuals to remain vigilant against incidents of identity theft and fraud by reviewing their accounts, explanations of benefits, and credit reports for suspicious activity, and to report any suspicious activity to the affiliated institutions immediately.”
However, according to a report by Bleeping Computer, the Rhysida group has released 80% of the data it holds from the SRHS breach, which included a over 420,000 files amounting to more than 754 GB of data.
Healthcare is becoming a hot target with threat actors as data within these systems are mostly critical to a community or a country and make for an attractive hostage. Last week, mobile medical service provider DocGo was breached in a cyberattack.