ESO Solutions, a data and software provider for emergency responders and healthcare entities, has commenced the notification process for 2.7 million individuals affected by a ransomware attack.
The breach, which unfolded on September 28, compelled ESO to shut down systems temporarily to curb the incident’s reach. Although the attackers accessed and encrypted internal systems, ESO said it restored them using backups.
In an incident notice published earlier today, the firm stated an unauthorized third party may have obtained personal data, and they are actively collaborating with federal law enforcement investigations. Patient information, including names, addresses and health details were compromised, with potential exposure of sensitive information like Social Security numbers.
“The fact is that HIPAA compliance does include allowances for health care providers to store ePHI in SaaS applications and in the cloud,” commented Colin Little, security engineer at Centripetal.
“All guidance I see for health care providers states that SaaS application vendors need to be thoroughly vetted when making that choice. While there are a lot of factors that make the choice of going to a SaaS application appealing, such as scalability and economic factors, a much more thorough risk assessment of this strategy is clearly required.”
While the ransomware gang responsible remains unidentified, ESO’s statement suggests that the company may have paid to secure the deletion of impacted data. Infosecurity has reached out to the company to verify these claims.
Read more on ransomware: Forty Countries Agree Not to Pay Cybercrime Ransoms
Regardless, the company notified the Maine Attorney General’s Office on December 19 that 2.7 million individuals were affected, with letters mailed out starting December 12. Over 9500 Tallahassee Memorial HealthCare patients were among those affected.
Collaborating with healthcare providers like Ascension Providence and Manatee Memorial Hospital, ESO is informing patients of the breach. Other impacted institutions include Mississippi Baptist Medical Center, Merit Health Biloxi, Merit Health River Oaks and various healthcare facilities.
“Affected patients should immediately take steps to protect themselves from identity theft and health benefits fraud,” commented Paul Bischoff, consumer privacy advocate at Comparitech.
“ESO hasn’t stated whether affected patients will get free credit monitoring, but I expect at least some of them will. Check your credit reports, take advantage of the free credit monitoring, and keep an eye on your medical bills for suspicious activity.”