Group Health Cooperative of South Central Wisconsin (GHC-SCW) has started notifying more than half a million people that their personal information was stolen in a ransomware attack.
The incident occurred on January 25 and resulted in disruptions caused by the isolation of compromised systems, but no file-encrypting ransomware was deployed, GHC-SCW says in an incident notice on its website.
In February, the investigation into the attack revealed that the attackers exfiltrated data from the healthcare organization’s systems, including personal and protected health information.
The stolen information includes names, addresses, phone numbers, email addresses, dates of birth, dates of death, Social Security numbers, and Medicare/Medicaid numbers.
“Our discovery was confirmed when the attacker, a foreign ransomware gang, contacted GHC-SCW claiming responsibility for the attack and stealing our data,” the company says in a notification letter to the impacted individuals, a copy of which was submitted to the Maine Attorney General’s Office.
“We have no indication that information has been used or further disclosed,” the organization says.
GHC-SCW notes that it has been working with the FBI and CISA to mitigate the risks associated with the attack, and that it has notified the relevant authorities, consumer reporting agencies, and the impacted individuals.
“To reduce the risk of this happening again, we have implemented enhanced security measures across all our systems and networks. This includes strengthening existing controls, data backup, user training and awareness, and other measures,” GHC-SCW says.
The organization told the US Department of Health and Human Services that more than 530,000 individuals were impacted by the data breach.
GHC-SCW is a non-profit healthcare cooperative in Wisconsin that has more than 79,000 members that provide insurance services and clinical care in the South Central Wisconsin region.
While GHC-SCW did not name the cybercrime group responsible for the attack, the BlackSuit ransomware gang listed the organization on its Tor-based site in March, claiming to have stolen patient and member information, financial documents, business documents, several databases, and emails.
According to a November 2023 report, BlackSuit could be a rebrand of Royal ransomware, which is believed to have targeted over 350 organizations, claiming over $275 million in ransoms.
Also in November, the US Health Department warned (PDF) healthcare organizations of attacks involving the BlackSuit ransomware, pointing out that both Royal and its predecessor, the Conti ransomware, had aggressively targeted the healthcare and public health sector.
Related: Second Ransomware Group Extorting Change Healthcare
Related: Healthcare IT Help Desk Employees Targeted in Payment-Hijacking Attacks