Cyber Incident Victim: Hopkinsmedicine

On or around May 31, 2023, the Johns Hopkins Health System Corp. discovered a significant data breach. The breach was publicly disclosed by the organization in an email sent to its community on June 14, 2023. The incident notification explained that the breach potentially affected a wide range of individuals associated with the institution, including employees, students, and patients. The scope of the breach was confirmed to impact 2,584 people. The cyberattack was linked to the exploitation of a vulnerability in a third-party software tool known as MOVEit, which is widely used for secure file transfers. The parent company of this software, Progress Software, had itself alerted its customers to the existence of this critical vulnerability on the same day Johns Hopkins discovered its breach, May 31.

The investigation into the attack quickly pointed towards a known threat actor. By June 15, 2023, it was reported that a Russian hacker group, identified as the Cl0p ransomware syndicate, appeared to be responsible for the cyberattack against Johns Hopkins. This attribution was based on the group's public claims of responsibility for a broader global campaign that exploited the same MOVEit software vulnerability. This wider attack campaign impacted numerous other major organizations around the world, including the BBC, British Airways, and the government of Nova Scotia, among dozens of others. When questioned by news media, the Federal Bureau of Investigation (FBI) declined to comment specifically on the Johns Hopkins incident but did refer inquiries to an existing agency advisory that detailed how the Cl0p group was exploiting the MOVEit vulnerability to compromise companies globally.

In response to the discovery, Johns Hopkins established a dedicated call center and online resources to assist affected individuals. The provided contact number was 888-703-9247, with operating hours on weekdays from 9 a.m. to 9 p.m. Eastern Time. The institution also directed its community to informational webpages at jhu.edu/DataAttack and HopkinsMedicine.org/DataAttack for further details and assistance. A Johns Hopkins spokeswoman, Jill Rosen, stated in June that no further information was available beyond what had already been shared in the initial community communication, indicating the ongoing nature of the investigation at that time.

The regulatory consequences of the breach began shortly thereafter. The U.S. Office for Civil Rights (OCR), a division of the Department of Health and Human Services, initiated an investigation into the Johns Hopkins Health System Corp. data breach. The OCR routinely opens investigations into all breaches of unsecured protected health information that affect 500 or more individuals, a threshold that was met by this incident. The online indication from the OCR specified it was investigating the health system entity; it remained unclear from available reports whether the separate cyberattack against Johns Hopkins University would also fall under the same OCR investigation. The breach represents a significant incident involving a major healthcare and research institution, leveraging a widespread software vulnerability to compromise the personal data of thousands. The event underscores the ongoing threat posed by sophisticated cybercriminal groups targeting third-party applications to gain access to sensitive information across multiple sectors.