New York clinic Excelsior Orthopaedics this week confirmed it notified 357,000 people about a June 2024 data breach that compromised the following employee and patient info:
- Names
- Social Security numbers
- Biometric info
- Medical record number
- Diagnoses and diagnosis codes
- Treatment locations
- Procedure types
- Provider names
- Treatment costs
- Medical dates of service
- Patient account numbers and subscriber member numbers
- Health insurance info
- Financial info
- Addresses
- Dates of birth
- Driver’s license or other ID number
Ransomware group Monti claimed responsibility for the attack and gave Excelsior until July 16, 2024 to pay an undisclosed sum in ransom.
Excelsior has not verified Monti’s claim. We do not yet know whether Excelsior paid a ransom, how much Monti demanded, or how attackers breached Excelsior’s network. Comparitech contacted Excelsior for comment and will update this article if it replies.
“On June 23, 2024, Excelsior detected unusual activity on its network and discovered that it was the victim of a data security incident,” Excelsior’s notice to victims states. “Initial results of the forensic investigation indicated that the incident resulted in the compromise of data relating to current and former patients and employees of Excelsior and its related entities, including the Buffalo Surgery Center and Northtowns Orthopaedics.”
Excelsior is offering eligible victims 12 months of free credit monitoring and identity theft protection via TransUnion. The deadline to enroll is 90 days from receipt of the notice letter.
Who is Monti?
Monti is a ransomware group that strongly resembles an earlier group with a similar name, Conti. It claimed its first attack in February 2023. Comparitech researchers logged 14 attacks by Monti in total, with this attack on Excelsior being the largest by number of records compromised.
Prior to Excelsior, Monti’s biggest attack was on Cambridge College in Massachusetts, which notified 30,368 people of the breach. Monti also claimed responsibility for an attack on Wayne Memorial Hospital in Pennsylvania, which compromised the records of 2,500 people.
Monti claimed another 27 unconfirmed attacks in 2024 that weren’t acknowledged by targets.
Ransomware attacks on US healthcare
Ransomware attacks on US hospitals, clinics, and other care providers both steal data and lock down systems until a ransom is paid for a key to unlock them. Care providers might have to cancel appointments and divert patients until systems are restored, which can have life-threatening consequences. Doctors might be unable to communicate with patients, write prescriptions, or access medical records.
Throughout 2024, 124 confirmed ransomware attacks on US hospitals, clinics, and other care providers compromised 21.8 million private records, according to our data. Monti’s attack on Excelsior is the 14th largest data breach on a US healthcare company in 2024.
This week, we reported two other confirmed attacks on medical clinics:
About Excelsior Orthopaedics
Excelsior Orthopaedics operates eight clinics in Amherst, Buffalo, Orchard Park, Elma, and Niagara Falls, NY. According to its website, it employs more than 100 orthopedic specialists and has accumulated more than 400,000 patient visits.
Source link
-
-
/cdn.vox-cdn.com/uploads/chorus_asset/file/23952202/HT009_facebook_0008.jpg)
-
/cdn.vox-cdn.com/uploads/chorus_asset/file/25824271/257500_Acer_Nitro_Blaze_11_ADiBenedetto_0012.jpg)
-
-
-
-
-
