The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Medusa Ransomware Group Leaks Data Stolen from American Renal Associates

Posted By on Apr 8, 2024

The Medusa ransomware group has leaked data stolen from American Renal Associates. Moffitt Cancer Center has been affected by a cyberattack on a vendor, and Family Health Center in Michigan and Zuckerberg San Francisco General Hospital have reported the exposure of patient data.

American Renal Associates

American Renal Associates (ARA), one of the largest providers of dialysis services in the United States and a provider of care for patients suffering from end-stage renal disease has experienced a Medusa ransomware attack. The ransomware attack has yet to be announced by ARA, but the Medusa ransomware group has leaked data allegedly stolen in the attack. The attack occurred on March 2, 2024, and affected hundreds of computers.

According to an analysis of the leaked data by Marco A. De Felice, around 5TB of data was stolen by the Medusa group including the protected health information of an estimated 37,700 patients. The leaked data includes patient names, dates of birth, phone numbers, email addresses, medical records, Social Security numbers, copies of passports and driver’s licenses, health insurance information, and company data.

Moffitt Cancer Center

Moffitt Cancer Center in Florida has announced that it has been affected by a security incident at one of its vendors. The law firm, Gunster, Yoakley, and Stewart, was provided with patient data in connection with legal services provided to Moffitt Cancer Center. Hackers gained access to the law firm’s network and may have obtained data such as names, dates of birth, Social Security numbers, driver’s license numbers, passport numbers, other government-issued identification numbers, financial account information, and medical information, including medical records numbers, health insurance benefit information, claims data, and diagnosis and treatment information.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The law firm started notifying affected individuals in April 2023; however, as the investigation progressed, it became clear that other individuals had been affected. Further notification letters were mailed in the following months, with Moffitt Cancer Center patients notified in April 2024. It is currently unclear how many Moffitt Cancer Center patients have been affected.

Family Health Center

Family Health Center in Kalamazoo, MI, has announced that it fell victim to a cyberattack that caused network disruption and impacted the functionality and access of certain systems. Prompt action was taken to contain the attack and prevent further unauthorized access on January 25, 2024, when the breach was detected and a third-party cybersecurity firm was engaged to conduct a forensic investigation.

The investigation uncovered evidence of unauthorized access to files that contained patient information. The review of those files confirmed that they contained employee information such as names, addresses, health insurance information, and Social Security numbers, and patient information such as first names, last names, and medical information. Family Health Center has reported the breach to the HHS’ Office for Civil Rights as affecting 3,240 individuals and said it has taken steps to improve security, including expanding multi-factor authentication and increasing monitoring of its network for suspicious activity.

Zuckerberg San Francisco General

Zuckerberg San Francisco General in California has announced that a medical logbook went missing in December 2023 that contained patient information. The logbook contained patient data from January 11, 2022, to December 12, 2023, including names, dates of birth, genders, medical record numbers, visit dates, dates of specimen collection, reason for specimen collection, whether a result was received, and other types of health information.

At the time of the announcement, no reports had been received to indicate any misuse of patient data. Zuckerberg San Francisco Hospital is reviewing its policies and procedures and is providing additional security awareness training to employees. The incident has been reported to the HHS’ Office for Civil Rights as affecting 755 individuals.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist