Orange County hospital notifies 600 patients of data breach that compromised SSNs

College Hospital Costa Mesa this week confirmed it notified 591 people about an August 2024 data breach that compromised patients’ names, Social Security numbers, dates of birth, diagnoses, and other info.

Ransomware gang LockBit claimed responsibility for the attack on September 24, 2024, saying it stole 1090 GB of data from the hospital. LockBit gave the Orange County hospital until October 15 to pay and undisclosed amount of ransom. The group posted screenshots of what it says are confidential College Hospital documents, which LockBit threatened to release if its demands were not met.

The hospital has not verified LockBit’s claim. We do not yet know how attackers breached College Hospital’s network or if the hospital paid a ransom. Comparitech contacted College Hospital Costa Mesa for comment and will update this article if it replies.

“On September 17, 2024, we learned of an incident that disrupted the operations of some of our IT systems. We immediately took steps to secure our systems, launched an investigation with the assistance of third-party forensic experts, and notified law enforcement. Our investigation determined that the threat actor accessed some files on our systems between August 14, 2024 and September 17, 2024,” the hospital’s notice to victim states.

College Hospital is offering eligible victims free identity monitoring.

Who is LockBit?

LockBit is one of the most high-profile ransomware gangs ever and has a slew of high-profile attacks under its belt. It claimed 81 confirmed ransowmare attacks so far in 2024, compromising more than 8 million records.

LockBit’s other recently confirmed attacks include those on the Pi Kappa Phi fraternity at the University of Alabama, New York support group Equinox, and YMCA of Central Florida.

The group claimed another 426 unconfirmed attacks this year that weren’t acknowledged by targets.

Although the last few months have been quieter, LockBit recently announced the launch of version 4.0 of its ransomware, so it could be on the brink of another wave of attacks.

Ransomware attacks on US healthcare

Ransomware attacks can disrupt day-to-day operations and force hospitals, clinics, and other healthcare providers to divert patients and cancel appointments. Ransomware can cripple systems used for prescriptions, billing, payroll, and appointment booking. Many ransomware groups also steal data that can later be used to extort hospitals for even more money.

Comparitech researchers logged 120 confirmed ransomware attacks on US hospitals, clinics, and other care providers so far in 2024. Those attacks compromised 21.4 million records and demanded an average ransom of $1.06 million.

Other recently confirmed attacks on US healthcare include:

• American Addiction Centers notified 422,424 people of a September 2024 breach claimed by Rhysida, who demanded $1.83 million
• Brockton Neighborhood Health Center notified 97,500 people of a November 2024 breach claimed by Interlock
• Mohawk Valley Cardiology notified about 5,000 people of and August 2024 breach claimed by BianLian

About College Hospital Costa Mesa

College Hospital Costa Mesa is a 122-bed hospital in Costa Mesa, California. In addition to medical and surgical services, it also psychiatric care, medical detoxification, and electroconvulsive therapy.