The breach on Women’s Health Care Group of Pennsylvania was discovered in May, but hackers had unauthorized access to the system as early as January.
The Women’s Health Care Group of Pennsylvania, with 45 offices throughout the state, has notified 300,000 of its patients that a ransomware attack has put their personal health information at risk.
The health system discovered a server and workstation at one of its practices was infected by ransomware on May 16. Officials said the infected server and workstation were removed from the network, before officials launched an investigation by a computer forensics team.
The investigation revealed the cybercriminals began hacking the system as early as January 2017, by leveraging a security vulnerability. Officials said the security flaw allowed limited access to patient information before it encrypted certain files.
The health system couldn’t determine if patient information acquired or viewed.
The data stolen by hackers included names, Social Security numbers, birth dates, pregnancy histories, blood type information, lab results, medical record numbers, insurance information and medical diagnoses. Officials said the encrypted files were restored from backups and didn’t disrupt patient care.
This type of data is used by hackers to build full profiles of patients that are then placed for sale on the dark web. For example, by leveraging insurance data, a hacker can masquerade as an insurance agent and attempt to collect money from a patient.
The health system has also filed a report with the FBI.
“Maintaining the integrity and confidentiality of our patients’ personal information is very important to us, officials said in a statement. “We’re conducting a comprehensive internal review of our information security practices and procedures to help prevent such events in the future.”