Owner of Addiction Treatment Centers, Medical Offices and Hotels Hit by Ransomware
A commercial real estate company that operates more than a dozen addiction recovery centers and other medical facilities in several states is notifying 319,500 patients and employees of a recent ransomware incident that compromised their personal and health information.
Onix Group, based in Kennett Square, Pennsylvania, which reported the incident to the Department of Health and Human Services on May 26, said in a breach notice posted on its website that the ransomware attack discovered on March 27 had “corrupted certain systems” and involved the exfiltration of a “subset of files.”
The company said the investigation into the ransomware incident determined that an unauthorized actor had accessed Onix’s network between March 20 and March 27.
ONIX Group’s healthcare division has over 30 years of experience operating medical facilities. The company, which also operates hotels, says information contained in the affected files varied by individual. Information compromised included patients’ names, Social Security numbers, birthdates and scheduling, billing and clinical information pertaining to the patients’ medical care at the Onix facilities.
The affected files also contained employee information maintained for human resources purposes, including names, Social Security numbers, direct deposit information and health plan enrollment information, the breach notice says.
Onix healthcare-related entities affected by the incident include 10 Addiction Recovery Systems centers, five Cadia Healthcare centers, and a number of Physician’s Mobile X-Ray units, which travel to different locations, said Will Jervis, compliance officer at Onix.
Jervis declined Information Security Media Group’s request for additional details about the ransomware attack, including the malware variant and hacker group believed to be responsible for the incident.
“Real estate companies are generally not synonymous with healthcare companies,” said Dave Bailey, vice president at privacy and security consultancy Clearwater. “But any company that qualifies as a business associate under HIPAA must abide by the provisions of the rule and demonstrate they have reasonable and appropriate safeguards to protect patient information.”
Onix said it is taking measures to bolster the security of its systems and will continue enhancing its protocols to safeguard information in its care. Jervis declined to elaborate on those plans.
As of Thursday, the Department of Health and Human Services’ HIPAA Breach Reporting Tool website shows that Onix’s hacking incident was among 295 major health data breaches affecting more than 37 million individuals reported to federal regulators so far in 2023.
Of those, 113 health data breaches – or 40% – were reported by business associates such as Onix. Business associate breaches affected nearly 19.9 million individuals, or about half of all people affected by major health data compromises reported so far this year.
“The healthcare industry is targeted and under attack from highly capable adversaries causing disruption, data exfiltration and extortion,” Bailey said. “Everyone engaged within the ecosystem is susceptible.”