Cyber Incident Victim: Community Clinic of Maui
Date:
May 2024
Location:
United States of America
Summary
The Community Clinic of Maui experienced a ransomware attack compromising sensitive personal and medical data of approximately 123,000 individuals, including Social Security numbers, financial account details, biometric information, and medical treatment records. The breach disrupted operations, forcing a near two-week closure and prolonged reliance on paper-based systems after reopening with limited services. LockBit, the ransomware group claiming responsibility, was later targeted by international law enforcement operations. While the clinic offered credit monitoring for those with exposed Social Security numbers, it did not provide identity theft protection services, leading to potential legal investigations into its breach response. Cybersecurity experts and authorities were engaged to address the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Community Clinic of Maui, operating as Mālama, experienced a significant cyberattack between May 4 and May 7, 2024, during which unauthorized actors accessed sensitive personal and medical data. Hackers infiltrated systems containing Social Security numbers, passport numbers, financial account details including CVV codes and expiration dates, medical treatment records, bank routing numbers, bank names, and biometric data. The breach impacted 123,882 individuals, prompting the clinic to take affected servers offline to contain the intrusion. This operational disruption forced Mālama to close entirely for nearly two weeks, severely impacting healthcare access for Maui residents. When the clinic partially reopened at the end of May, it operated with limited services, and staff resorted to paper charting due to the complete loss of computer access. Local news outlets characterized the incident as a ransomware attack, which generated community outrage over the prolonged service interruptions. In June, the LockBit ransomware gang publicly claimed responsibility for the attack, aligning with law enforcement's later confirmation that LockBit infrastructure was involved. The clinic's emergency response included immediate coordination with law enforcement agencies and the engagement of cybersecurity experts to investigate the breach's scope and origin.
Mālama confirmed the forensic findings of its investigation on August 7, 2024, notifying affected individuals that those with compromised Social Security numbers would receive complimentary credit monitoring. However, regulatory filings in Maine contradicted this by stating identity theft protection services were not being offered, and the clinic declined to clarify the discrepancy. A law firm initiated investigations into potential class-action lawsuits against Mālama for alleged failures in safeguarding patient data. The attack occurred amid a broader surge in ransomware targeting critical healthcare infrastructure, with notable incidents affecting McLaren Health Care, Ascension, and a Level 1 trauma center in the southwestern U.S. that diverted ambulances during its outage. Concurrently, international law enforcement agencies including Europol executed operations against LockBit, arresting four suspects and seizing critical servers in France, the U.K., and Spain. These actions formed part of a coordinated effort to dismantle the group's operations following its resurgence earlier in 2024. The clinic’s prolonged recovery underscored systemic vulnerabilities in healthcare cybersecurity, with patient care disruptions persisting weeks after systems were initially disabled.