kokotewan - stock.adobe.com
6M affected by data breach at life insurance software vendor
The data of more than six million individuals was jeopardized when Infosys McCamish Systems suffered a ransomware attack last Fall.
Infosys McCamish Systems (IMS), a life insurance software vendor, notified the Maine Attorney General’s Office of a data breach that affected more than six million individuals. The breach resulted from an October 2023 ransomware attack.
According to the breach notification, IMS discovered that certain systems had been encrypted by ransomware on November 2, 2023. Further investigation determined that a threat actor had first gained access on October 29.
The affected information included Social Security numbers, driver’s license numbers, financial account information, passport numbers, email addresses and passwords, dates of birth, medical treatment information and biometric data. The impacted information varied by individual.
IMS began notifying the victims officially on June 27, following a comprehensive review of the data.
“Upon discovery of the Incident, IMS moved quickly to investigate and respond to the Incident, assess the security of its systems, and notify impacted organizations and individuals,” the notice stated.
“IMS also reviewed its existing policies and procedures and implemented additional safeguards to further secure its systems and the information contained therein.”
Lurie Children’s Hospital issues official breach notice
Lurie Children’s Hospital in Chicago filed a breach notice with the Maine Attorney General’s Office, confirming that 791,784 individuals were impacted by a January 2024 cyberattack and data breach.
As previously reported, the cyberattack rendered certain Lurie systems unavailable for weeks, including its Epic EHR platform, email and phone systems. The Rhysida ransomware gang allegedly claimed responsibility for the cyberattack and boasted about stealing 600 GB of data.
The children’s hospital remained open to patients throughout the cyberattack and subsequent investigation.
The information involved in the breach included names, addresses, dates of service, dates of birth, health claims information, health plan information, prescription information, Social Security numbers, diagnoses and Social Security numbers.
Lurie Children’s said it had no evidence that the cybercriminals accessed data stored in its Epic EHR system.
“At Lurie Children’s, we take seriously the privacy of our patients’ and team members’ sensitive information. Lurie Children’s did not pay a ransom,” the notice stated.
“Experts have advised that making a payment to cybercriminals does not guarantee the deletion or retrieval of data that has been taken. Once our investigation team identified an amount of data that was impacted by the cybercriminals, we worked closely with law enforcement to retrieve that data.”
Minnesota radiology practice suffers data breach
Minnesota-based Consulting Radiologists LTD (CRL) notified more than 583,000 individuals of a data breach. On February 12, 2024, CRL discovered suspicious network activity and engaged a third-party cybersecurity firm to investigate.
CRL later learned that an unauthorized actor had accessed certain files and data stored within its network. Over the course of the next few months, CRL reconstructed and reviewed the impacted data.
The affected data included names, dates of birth, medical information, addresses and health insurance information. The Social Security numbers and imaging reports of a subset of individuals were also impacted.
CRL has since updated its policies to reduce the likelihood of a similar event in the future.