ESO Solutions has started notifying 2.7 million individuals that their personal and health information was compromised in a ransomware attack.
The incident occurred on September 28 and forced the company, a data and software provider for emergency responders, hospitals, and state and federal agencies, to take systems offline to contain it.
The attackers, the company says in an incident notice on its website, accessed and encrypted some of its internal systems, which it was able to safely restore using backups.
“Our investigation determined that the unauthorized third party may have acquired your personal data during this incident. Please know that we have taken all reasonable steps to prevent the data from being further published or distributed, and have notified and are working with federal law enforcement to investigate,” the incident notice reads.
One of the compromised systems, ESO Solutions says, contained patient information, including names, addresses, phone numbers, and other sensitive personal information and protected health information.
In the notification letter sent to the impacted individuals, a copy of which was submitted to the Maine Attorney General’s Office, ESO explains that dates of birth, injury type and date, medical treatment information, patient account and/or medical record number, insurance and payer information, and Social Security numbers might have been exposed in some cases.
SecurityWeek has not seen any ransomware gang taking credit for the attack and ESO does not say whether it paid out a ransom to the attackers. However, the company’s statement that it has “secured the deletion of all impacted data and taken all reasonable steps to prevent the data from being further published or distributed” suggests that it did.
ESO told the Maine AGO that 2.7 million individuals were impacted by the data breach and that it started mailing out letters to them on December 12.
Of the 2.7 million affected, more than 9,500 were Tallahassee Memorial HealthCare (TMH) patients, the information of which was stored by ESO to facilitate the provision of services to the not-for-profit community healthcare organization.
“ESO is a valued partner and has coordinated with TMH to begin providing notice to all patients for whom there are verifiable mailing addresses and resources so potentially impacted individuals can protect themselves,” TMH says in an incident notification.
According to ESO, the attack also impacted patients at Mississippi Baptist Medical Center, Merit Health Biloxi, Merit Health River Oaks, ESO EMS Agency, Forrest General Hospital, Alaska Regional Hospital, Memorial Hospital at Gulfport, Providence Kodiak Island Medical Center, Providence Alaska Medical Center, and Desert View Hospital.