The Richmond University Medical Center in New York has been investigating a ransomware attack since May 2023 and it recently determined that the incident resulted in a data breach affecting more than 670,000 people.
The healthcare facility, which serves residents in Staten Island, New York, suffered significant disruptions in May 2023 after being targeted in a ransomware attack. It took the organization several weeks to restore impacted services.
An initial forensic investigation showed that the hospital’s electronic health record systems were not compromised, but it was later determined that other files may have been accessed or exfiltrated from Richmond University Medical Center’s network in early May.
“Once the investigation determined what files may have been accessed or removed from our network, we located a copy of each file and then undertook a manual review process of those files to determine whether they contained any sensitive personal information or personal health information,” the hospital said in a security incident notice.
On December 1, 2024, investigators determined that at least one of the exposed files contained personal information, including names and one or more of the following types of data: Social Security numbers, driver’s license or state ID numbers, dates of birth, financial account information, payment card information, biometric information, user credentials, medical information, and health insurance policy information.
Individuals whose SSN may have been compromised are being offered 12 months of free credit monitoring services.
However, if the information was indeed stolen more than one and a half years ago, cybercriminals and fraudsters have had plenty of time to abuse it.
SecurityWeek has not seen any known ransomware group taking credit for the Richmond University Medical Center attack.
While this could indicate that the healthcare organization paid a ransom to avoid a data leak, the investigation apparently determined that sensitive information was compromised long after a ransomware group would have made the stolen information public.
When the hospital informed state attorney generals about the incident in mid-December 2024, it did not disclose the exact number of impacted individuals, but the organization told the US Department of Health and Human Services in recent days that the data breach impacts 674,033 people.
Related: Other Healthcare Data Breaches Covered by SecurityWeek
Related: American Addiction Centers Data Breach Impacts 422,000 People
Related: Regional Care Data Breach Impacts 225,000 People
Related: 446,000 Impacted by Center for Vein Restoration Data Breach
