ESO Solutions, a data and software provider for emergency responders and healthcare entities, has initiated the notification process for 2.7 million individuals impacted by a ransomware attack.
The breach, which occurred on September 28, resulted in ESO temporarily shutting down systems to contain the incident. Despite the attackers gaining access to and encrypting internal systems, ESO was able to restore them using backups.
In a recent incident notice, the company revealed that personal data may have been accessed by an unauthorized third party, and they are actively cooperating with federal law enforcement investigations. The compromised patient information includes names, addresses, and health details, with potential exposure of sensitive information such as Social Security numbers.
“The reality is that HIPAA compliance does allow healthcare providers to store ePHI in SaaS applications and in the cloud,” stated Colin Little, a security engineer at Centripetal.
“All the guidance I see for healthcare providers emphasizes the need for thorough vetting of SaaS application vendors. While there are many appealing factors for choosing SaaS applications, such as scalability and economic factors, a much more comprehensive risk assessment of this strategy is clearly necessary.”
While the ransomware group responsible remains unidentified, ESO’s statement suggests that the company may have paid to ensure the deletion of affected data. Infosecurity has contacted the company to verify these claims.
Read more on ransomware: Forty Countries Agree Not to Pay Cybercrime Ransoms
Nevertheless, the company notified the Maine Attorney General’s Office on December 19 that 2.7 million individuals were affected, with letters being sent out starting December 12. Over 9500 patients of Tallahassee Memorial HealthCare were among those impacted.
ESO is collaborating with healthcare providers like Ascension Providence and Manatee Memorial Hospital to inform patients of the breach. Other affected institutions include Mississippi Baptist Medical Center, Merit Health Biloxi, Merit Health River Oaks, and various healthcare facilities.
“Affected patients should take immediate steps to protect themselves from identity theft and health benefits fraud,” advised Paul Bischoff, a consumer privacy advocate at Comparitech.
“ESO has not disclosed whether affected patients will receive free credit monitoring, but it is expected that at least some of them will. Check your credit reports, take advantage of the free credit monitoring, and monitor your medical bills for any suspicious activity.”