Community Health Center confirms suffering a data breach

The criminals stole sensitive information on more than a million people

This was not a ransomware attack, CHC claims

More than a million people may have had their sensitive information stolen, after a “skilled hacker” broke into the IT system of Community Health Center (CHC).

The company filed a new report with the Maine Office of the Attorney General which said it spotted “unusual activity” in its computer systems, on January 2.

“That same day, we brought in experts to investigate and reinforce the security of our systems. They found that a skilled criminal hacker got into our system and took some data, which might include your personal information.”

No ransomware

The data stolen in this attack includes people’s names, dates of birth, addresses, phone numbers, emails, diagnoses, treatment details, test results, Social Security numbers, and health insurance information - all of which is more than enough to run highly personalized phishing attacks, and maybe even wire fraud.

CHC is a Connecticut-based nonprofit healthcare provider that offers comprehensive primary care, dental, behavioral health, and specialty services to underserved communities.

This doesn’t seem to have been a ransomware attack, however, as CHC added that the actors did not delete, or lock, any of the affected data. Therefore, the attack did not affect its daily operations, it added.

“We believe we stopped the criminal hacker’s access within hours, and that there is no current threat to our systems.”

CHC is now notifying affected individuals about the breach and offering assistance, including free identity theft protection through IDX. In the letter, CHC said that IDX will provide 24 months of credit and CyberScan monitoring. Furthermore, the company set aside a $1M reimbursement policy, and promised to help recover stolen identities.

In recent months, ransomware groups have started moving away from encryptors and focusing solely on data theft. Apparently, it is equally effective in terms of ransom demands, yet cheaper and easier to pull off. It seems that in this case, CHC was not asked for a ransom yet.

