Ransomware, Breach, Privacy

2.7M medical records exposed in double-extortion ransomware attack

A ransomware attack against medical software company ESO Solutions has exposed personal details and healthcare information belonging to 2.7 million U.S. patients.

ESO Solutions, a developer of patient care solutions used by hospitals and emergency services, told state regulators it “detected and stopped a sophisticated ransomware incident” on Sept. 28, but not before the attackers were able to encrypt some of the company’s systems.

Texas-based ESO called in the FBI after its subsequent investigation determined, on Oct. 23, that personal data on one of its affected systems had been exfiltrated during the breach.

The tactic of exfiltrating data during a ransomware attack is known as double extortion. It is meant to maximize the financial gain of the attack. Victims who refuse to pay a ransom, to decrypt their data, are then threatened that their data will be publicly released or sold if they don't pay. This puts pressure on victims to pay or risk “exposing organizations to reputational damage, legal consequences and regulatory fines,” explains SentinelOne.  

It's unclear from ESO Solutions disclosure if attackers made specific threats to release portions of the medical records as a consequence to not paying the ransom.

No evidence of data in the wild

The company had “found no evidence that impacted information has been misused,” it said in a statement on its website and in a breach notification letter sent to affected individuals.

Hospitals who use ESO’s software have also notified patients that their information has been compromised.

The personal data exposed through the attack varied from individual to individual but included names, phone numbers, addresses, social security numbers, and medical details including injury, diagnosis and treatment information.

ESO is offering those affected free access to an identity monitoring service.

“We encourage all individuals to remain vigilant and to regularly review and monitor relevant account statements and credit reports and report suspected incidents of identity theft to local law enforcement, your state’s Attorney General, or the Federal Trade Commission,” the company said in its letter.

Adding to a mountain of health sector breaches

It is the fourth time in just over a month that a provider in the healthcare sector has confirmed a breach affecting millions of Americans.

Last month medical transcription firm Perry Johnson & Associates (PJ&A) confirmed to the Department of Health and Human Services (HHS) that almost 9 million patient records were exposed after hackers gained access to the company’s systems in March.

A few days later, healthcare solution provider Welltok, one of the many victims of the Clop ransomware gang’s MOVEit Transfer hacks, confirmed to HHS the attack had impacted 8.5 million records it held.

This month, as the impact of the MOVEit Transfer breaches continued to mount, Delta Dental of California and its affiliates reported almost 7 million records it held, including information shared in connection with dental procedures and claims payments, had been compromised.

With only a few days to go until the end of the year, the largest breach of U.S. health-related data in 2023 was reported in July by Tennessee-based HCA Healthcare, a breach involving the theft of 11 million patient records.

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
Simon Hendery

Simon Hendery is a freelance IT consultant specializing in security, compliance, and enterprise workflows. With a background in technology journalism and marketing, he is a passionate storyteller who loves researching and sharing the latest industry developments.

You can skip this ad in 5 seconds