127,000 NorthCare Patients’ PHI Potentially Exposed Due to Ransomware Attack

NorthCare, a mental health clinic based in Oklahoma City, OK, suffered a ransomware attack last June 2021 that resulted in the compromise of patients’ protected health information (PHI).

NorthCare discovered suspicious system activity on June 1, 2021, the moment ransomware was employed for file encryption. The investigation of the ransomware attack affirmed the system breach on May 29, 2021. The threat actors immediately deployed ransomware to block access to files and issued a ransom demand in exchange for the keys to decrypt data files.

Northcare immediately took steps to control the impact of the attack and although it wasn’t possible to stop file encryption, the health clinic could restore its network and data using backups even without giving any ransom payment.

The attackers had accessed areas of the network that stored the protected health information of patients. Although the investigators did not confirm any data exfiltration, NorthCare is supposing the threat actors got access to patient information. The types of information possibly exposed in the attack were the patients’ full names, birth dates, addresses, Social Security numbers, and medical diagnoses.

After the attack, third-party forensics specialists helped with the investigation as well as remediation work. Northcare already notified the Federal Bureau of Investigation and is working together with technical professionals to strengthen the security of its network and restrict its access.

Considering that the attackers possibly accessed and acquired protected health information, NorthCare has provided identity monitoring, identity theft restoration, and fraud consultation services to persons affected by the breach for 12 months for free.

The breach notification received by the Maine attorney general revealed that the ransomware attack potentially affected the protected health information of 127,883 patients.