Cyber Incident Victim: Carinthia
Date:
Mar 2022
Location:
United States of America
Summary
A cyberattack compromised sensitive personal and medical data of approximately two million individuals through a breach at a Massachusetts healthcare services provider. Unauthorized access occurred over a two-week period, with attackers exfiltrating comprehensive information including Social Security numbers, medical records, diagnoses, insurance details, and billing data. The organization detected suspicious activity and initiated containment measures alongside third-party forensic investigators, later confirming extensive data theft. Federal law enforcement and health regulators were notified, with breach notifications planned for affected individuals. The provider offers imaging and emergency services across numerous medical facilities in the northeastern United States.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Shields Health Care Group, a Massachusetts-based healthcare organization providing MRI, radiology, and ambulance services to over 50 hospitals and medical facilities across the northeastern United States, experienced a significant cybersecurity incident between March 7 and March 21, 2022. Hackers infiltrated the company's systems and maintained unauthorized access for approximately two weeks before detection. The organization's IT team first identified a security alert around March 18 but initially found no evidence of data theft. Subsequent investigation revealed the full scope of the breach by March 28, when Shields confirmed both the intrusion and data compromise. During the intrusion period, attackers accessed databases containing highly sensitive personal and medical information belonging to approximately two million individuals. The compromised systems were partially rebuilt as part of containment efforts while third-party forensic specialists assisted with the investigation. Federal law enforcement agencies were notified immediately upon confirmation of the breach.
The attackers exfiltrated extensive personal health information including full names, Social Security numbers, dates of birth, home addresses, provider details, medical diagnoses, billing records, insurance information, medical record numbers, and patient identifiers. Shields Health Care Group did not initially disclose whether the attack involved ransomware or specify the identity of the threat actors. The organization filed mandatory breach notifications with the U.S. Department of Health and Human Services Office for Civil Rights and planned to inform state regulators. Impacted individuals were scheduled to receive direct notification letters, though the company did not commit to providing identity theft protection services. The breach affected patients across multiple healthcare facilities including Emerson Hospital, UMass Memorial Health, Tufts Medical Center, and Wellesley College, reflecting the organization's broad service network across academic medical centers and community hospitals. Forensic analysis continued to determine the exact attack vector and whether any additional systems beyond the identified databases were compromised.