Cybercrime
,
Data Breach Notification
,
Data Security
Health Records of Children, Deceased Patients Among Compromised Data
Community Health Center, which has a dozen primary care, dental and other clinics in Connecticut, is notifying nearly 1.1 million people – including pediatric patients and their parents and guardians – that their information was potentially stolen in a cyberattack detected earlier this month.
See Also: OnDemand | Strengthen Cybersecurity with a Multi-Layered 3-2-1-0 Data Protection Strategy
CHC, a nonprofit with healthcare practices located in medically underserved areas of Connecticut, reported the hacking incident on Thursday to regulators, including in Maine and California, which is among states in which some of CHC’s affected current and former patients reside.
CHC, based in Middletown, Conn., was launched in 1971. Besides its community health clinics, CHC said its clinicians also offer care for 17,000 students through school-based health programs in 150 schools across the state of Connecticut.
As of Friday, the CHC hacking incident had not yet been posted to the U.S. Department of Health and Human Services’ HIPAA Breach Reporting Tool website listing major health data breaches. Once added to the list, CHC’s incident is on track to be among the largest health data breaches reported to federal regulators so far in 2025.
Breach Details
CHC said that on Jan. 2, it noticed unusual activity in its computer systems and on that same day, retained experts “to investigate and reinforce” the security of its systems.
In the breach notice, CHC told victims: “They found that a skilled criminal hacker got into our system and took some data, which might include your personal information. Fortunately, the criminal hacker did not delete or lock any of our data, and the criminal’s activity did not affect our daily operations.”
“We believe we stopped the criminal hacker’s access within hours, and that there is no current threat to our systems,” CHC said.
CHC’s report to Maine’s attorney general indicates that the investigation determined the breach occurred several months earlier, on Oct. 14, 2024.
The information potentially accessed or acquired by the hackers includes patient name, date of birth, address, phone, email, guarantor information, diagnoses, progress notes, medications, treatment information, test results, records received from other providers, Social Security Number, and health insurance information.
Besides current and former patients, including pediatric patients, CHC is sending an unspecified number of notification letters to the “next of kin” of deceased patients, according to the center’s breach report to the California attorney general.
So far, CHC said it has no indication that any of the compromised information has been misused. The center is offering affected individuals 24 months of complimentary identity and credit monitoring.
CHC said it is also taking steps to enhance its data security. “We’ve strengthened our security and added special software to watch for suspicious activity. We are also working to make sure our patients’ information stays safe in the future,” the center said.
CHC did not immediately respond to Information Security Media Group’s request for additional details about the incident, including whether the center paid a ransom to the attackers.
Similar Hacks
CHC is the latest of several other large hacking incidents reported in recent months involving community health clinics.
Those breaches include Bakersfield, Calif.-based Omni Family Health, a network of 40 community health centers that has been in business since 1978, which reported a hacking incident affecting nearly 470,000 individuals to HHS’ Office for Civil Rights last October (see: 3 Longtime Health Centers Report Hacks Affecting 740,000).
A recent research report by security firm Black Kite found that 25% of healthcare sector ransomware attacks in 2024 affected physicians’ offices, followed by general medical and surgical hospitals, which accounted for 22% of the incidents.
Attackers also targeted smaller healthcare providers, such as dentists and outpatient centers, Black Kite said. “These organizations may lack robust security infrastructure, making them appealing, low-resistance targets for ransomware groups,” the report said.
Black Kite identified 374 healthcare sector ransomware incidents in 2024.