ESO Solutions, a data and software provider for emergency responders and healthcare entities, has begun the notification process for 2.7 million people affected by a ransomware attack.
The breach, which occurred on September 28, forced ESO to temporarily shut down systems to limit the scope of the incident. Although the attackers accessed and encrypted internal systems, ESO said it restored them using backups.
In a incident notice released earlier today, the company said an unauthorized third party may have obtained personal data and was actively cooperating with federal law enforcement investigations. Patient information, including names, addresses and health details, was compromised, with potential exposure of sensitive information such as social security numbers.
“The fact is that HIPAA compliance includes the ability for healthcare providers to store ePHI in SaaS applications and in the cloud,” commented Colin Little, security engineer at Centripetal.
“All the advice I see aimed at healthcare providers indicates that SaaS application providers should be carefully considered before making this choice. While there are many factors that make choosing a SaaS application attractive, such as scalability and economics, a much more in-depth risk assessment of this strategy is clearly needed.
Although the ransomware group responsible remains unidentified, ESO’s statement suggests that the company may have paid to ensure the affected data was removed. Information security contacted the company to verify these claims.
Learn more about ransomware: Forty countries agree not to pay ransoms for cybercrime
Regardless, the company notified the Maine Attorney General’s office on December 19 that 2.7 million people were affected, with letters mailed starting December 12. More than 9,500 patients at Tallahassee Memorial HealthCare were among those affected.
Working with healthcare providers like Ascension Providence and Manatee Memorial Hospital, ESO is notifying patients of the breach. Other institutions affected include Mississippi Baptist Medical Center, Merit Health Biloxi, Merit Health River Oaks and various healthcare facilities.
“Affected patients should immediately take steps to protect themselves against identity theft and health benefits fraud,” commented Paul Bischoff, consumer privacy advocate at Comparitech.
“The ESO has not clarified whether affected patients will benefit from free credit monitoring, but I hope that at least some of them will benefit from it. Check your credit reports, take advantage of free credit monitoring, and keep an eye on your medical bills for suspicious activity.