Ohio nursing home Carespring Healthcare Management is notifying approximately 77,000 individuals that their personal and medical information was compromised in a data breach that dates back to October 2023.
The incident was discovered on October 28, 2023, but the investigation into whether data was exfiltrated from the nursing home’s network took roughly nine months.
Last week, Carespring started sending written notification letters to the potentially affected individuals, and informed the Maine Attorney General’s Office that the information of 76,719 people was likely compromised in the breach.
“After an extensive forensic investigation and document review, we discovered on July 16, 2024, that between October 12, 2023, and October 30, 2023, a limited amount of information stored on our network may have been accessed and/or acquired by an unauthorized individual,” Carespring said.
Potentially compromised information, according to an incident notice, includes names, dates of birth, addresses, Social Security Numbers, medical and diagnosis information, and health insurance information.
Carespring said that it had no evidence that the compromised information has been used for fraud, but recommends that both employees and patients remain vigilant “in reviewing financial account statements on a regular basis for any fraudulent activity”.
The organization is providing the potentially impacted individuals with 12 months of free identity monitoring services, including credit monitoring, fraud consultation, and identity theft restoration.
The investigation into the incident, carried out by professionals and law enforcement, is still ongoing, Carespring said.
While Carespring did not share details on the type of cyberattack it fell victim to in October, its name appeared on the Tor-based leak sites of several ransomware groups.
On November 10, 2023, the Noescape ransomware group listed Carespring on their site, claiming the theft of 364GB of data from the nursing home. This year, Carespring was added to Hunters’ leak site in February and to LockBit’s in May.
Related: 460k Impacted by Kootenai Health Ransomware Attack
Related: Ransomware Attacks on Industrial Firms Surged in Q2 2024
Related: US Charges Three Europeans Over Ransomware and Malvertising
Related: Users Warned of New Aerst, ScareCrow Ransomware Families