Maui, Hawaii health clinic notifies 124K people of data breach that compromised SSNs, payment and medical info

Malama I Ke Ola Health Center a.k.a. Community Clinic of Maui over the weekend confirmed it notified 123,882 people of a May 2024 data breach that compromised the following private info:

• Name
• Social Security number
• Date of birth
• Driver’s license or state-issued ID number
• Passport number
• Financial account number,
• Routing number
• Bank name
• Credit and debit card numbers, CVVs, and expiration dates
• PIN code
• Login info
• Medical diagnosis
• Clinical info
• Treatments and procedures
• Treatment location
• Treatment cost
• Doctor’s name
• Medical record number
• Patient account number
• Prescription info
• Biometric data

Ransomware gang LockBit claimed responsibility for the attack shortly after it occurred and demanded a ransom payment by June 11, 2024.

In addition to data theft, the clinic shut down for two weeks as a result of the attack. Even after reopening, staff and patients were forced to use pen and paper systems in lieu of computers.

The notice does not offer victims free credit monitoring or identity theft protection, as is the status quo for data breaches of this severity.

We do not yet know whether the clinic paid a ransom, how much LockBit demanded, or how attackers breached the clinic’s network. Comparitech contacted Malama I Ke Ola Health Center for comment and will update this article if it responds.

Who is LockBit?

LockBit is one of the most prolific ransomware gangs of recent years and is responsible for hundreds, if not thousands, of attacks. The group is based in Russia. LockBit often employs a double-extortion model in which it demands one ransom to decrypt systems and a second ransom to delete any stolen data.

Comparitech researchers tracked 66 confirmed ransomware attacks claimed by LockBit in 2024 to date, affecting 8.2 million records. Seven of those attacks were against healthcare companies, including a recent attack on Real Hospital Português de Beneficência em Pernambuco (Brazil).

LockBit has claimed another 429 attacks in 2024 that haven’t been acknowledged by targets.

Ransomware attacks on US healthcare

Hospitals, clinics, and other healthcare-related organizations are frequent targets for ransomware attacks. In addition to data theft, ransomware can disrupt key systems used for payments, appointments, medical records, and more. Hospitals and clinics might be forced to cancel appointments and divert patients elsewhere, or resort to pen and paper until systems are restored.

We recorded 65 confirmed ransomware attacks on US healthcare entities so far in 2024, affecting more than 7 million records. The average ransom across these attacks is $825,000.

Other recent attacks include those on UMC Health System in Texas and Great Plains Region Medical Center in Oklahoma.

In 2024, we logged another 125 ransomware attacks on US healthcare that haven’t been acknowledged by victims, including 15 claimed by LockBit.

About Malama I Ke Ola Health Center

Community Clinic of Maui, which does business as Malama I Ke Ola Health Center, is a primary care clinic in Hawaii with three locations: two in Wailuku and one in Lahaina.

The clinic employs more than 100 people. Its LinkedIn page states, “Since 2019, we have served over 11,000 patients of which 97% are living at or below 200% of the Federal poverty level.”