The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

2 Million Patients Affected by Shields Health Care Group Cyberattack

Posted By on Jun 7, 2022

The protected health information of up to 2 million individuals has potentially been compromised in a Shields Health Care Group cyberattack. Massachusetts-based Shields Health Care Group provides ambulatory surgical center management and medical imaging services throughout New England. On March 28, 2022, suspicious activity was detected within its network. Immediate action was taken to secure its network and prevent further unauthorized access, and third-party forensics specialists were engaged to assist with the investigation and determine the nature and scope of the security breach.

The forensic investigation determined that an unauthorized actor had access to certain Shields systems between March 7, 2022, to March 21, 2022. Shields said a security alert had been triggered on March 18, 2022, which was investigated, but at the time it did not appear that there had been a data breach. It has since been confirmed that during that period of access, certain data was removed from its systems. Shields said it has not been made aware of any cases of actual or attempted misuse of patient data.

A review of the files that were removed from its systems or may have been accessed by unauthorized individuals confirmed the following types of information were involved: Full name, Social Security number, date of birth, home address, provider information, diagnosis, billing information, insurance number and information, medical record number, patient ID, and other medical or treatment information.  Shields is continuing to review the affected data and will issue notifications to affected individuals on behalf of all affected facility partners when that review has been completed.

When the attack was discovered, immediate action was taken to secure its network and data, certain systems have now been rebuilt, and additional safeguards have been implemented to better protect patient data. Cybersecurity measures will be reviewed and enhanced moving forward to ensure continued data security.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The HHS’ Office for Civil Rights Breach Portal has the breach listed as affecting 2,000,000 individuals. Shields said those individuals had received services at the following 56 facility partners:

Affected Facility Partners

  • Cape Cod Imaging Services, LLC (a business associate to Falmouth Hospital Association, Inc)
  • Cape Cod PET/CT Services, LLC
  • Cape Cod Radiation Therapy Service, LLC
  • Central Maine Medical Center
  • Emerson Hospital
  • Fall River/New Bedford Regional MRI Limited Partnership
  • Falmouth Hospital Association, Inc.
  • Franklin MRI Center, LLC
  • Lahey Clinic MRI Services, LLC
  • Massachusetts Bay MRI Limited Partnership
  • Mercy Imaging, Inc.
  • MRI/CT of Providence, LLC
  • Newton Wellesley Orthopedic Associates, Inc.
  • Newton-Wellesley Imaging, PC
  • Newton-Wellesley MRI Limited Partnership
  • Northern MASS MRI Services, Inc.
  • NW Imaging Management Company, LLC (a business associate to Newton Wellesley Orthopedic Associates, Inc.)
  • PET-CT Services by Tufts Medical Center and Shields, LLC
  • Radiation Therapy of Southeastern Massachusetts, LLC
  • Radiation Therapy of Winchester, LLC
  • Shields and Sports Medicine Atlantic Imaging Management Co, LLC (a business associate SportsMedicine Atlantic Orthopedics P.A.)
  • Shields CT of Brockton, LLC
  • Shields Healthcare of Cambridge, Inc.
  • Shields Imaging at Anna Jaques Hospital, LLC
  • Shields Imaging at University Hospital, LLC
  • Shields Imaging at York Hospital, LLC
  • Shields Imaging Management at Emerson Hospital, LLC (a business associate to Emerson Hospital)
  • Shields Imaging of Eastern Mass, LLC
  • Shields Imaging of Lowell General Hospital, LLC
  • Shields Imaging of North Shore, LLC
  • Shields Imaging of Portsmouth, LLC
  • Shields Imaging with Central Maine Health, LLC (a business associate to Central Maine Medical Center)
  • Shields Management Company, Inc.
  • Shields MRI & Imaging Center of Cape Cod, LLC
  • Shields MRI of Framingham, LLC
  • Shields PET/CT at CMMC, LLC
  • Shields PET_CT at Berkshire Medical Center, LLC
  • Shields PET-CT at Cooley Dickinson Hospital, LLC
  • Shields PET-CT at Emerson Hospital, LLC
  • Shields Radiology Associates, PC
  • Shields Signature Imaging, LLC
  • Shields Sturdy PET-CT, LLC
  • Shields-Tufts Medical Center Imaging Management, LLC (a business associate to Tufts Medical Center, Inc.)
  • South Shore Regional MRI Limited Partnership
  • South Suburban Oncology Center Limited Partnership
  • Southeastern Massachusetts Regional MRI Limited Partnership
  • SportsMedicine Atlantic Orthopedics P.A.
  • Tufts Medical Center, Inc.
  • UMass Memorial HealthAlliance MRI Center, LLC
  • UMass Memorial MRI – Marlborough, LLC
  • UMass Memorial MRI & Imaging Center, LLC
  • Winchester Hospital / Shields MRI, LLC

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist