Rehab hospitals in MA and NH notify patients of data breach that compromised medical info and SSNs

Northeast Rehabilitation Hospital Network yesterday confirmed it notified 22,514 people in Massachusetts of a May 2024 data breach that compromised the following info:

• Names
• Contact info
• Social Security numbers
• Patient ID numbers
• Medical record numbers
• Medical info
• Treatment info
• Diagnosis info
• Health insurance info
• Driver’s license numbers
• Financial account info
• Dates of birth

Northeast Rehabilitation Hospital Network (NRHN) operates locations in Massachusetts and New Hampshire, so the total number of victims is likely much higher. Comparitech will update this article as more state officials disclose leak figures.

Ransomware gang Hunters International claimed responsibility for the attack in August, saying it stole 410 GB of data from NRHN.

NRHN has not verified Hunters’ claim. We do not yet know if NRHN paid a ransom, how much Hunters demanded, or how attackers breached NRHN’s network. Comparitech contacted NHRN for comment and will update this article if it replies.

“The investigation determined there was unauthorized access to NRHN’s network between May 13, 2024, and May 22, 2024, and that certain files and folders within the network were or may have been taken without authorization during that time,” NRHN’s notice to victims states.

NRHN’s notice does not mention any offer of free credit monitoring or identity theft protection for victims.

Who is Hunters International?

Hunters International first started posting targeted organizations to its leak site in October 2023. It is rumored to be a spin-off of an earlier group called Hive. Hunters often extorts victims twice in one attack: it seeks one ransom for decrypting systems and another for not publishing or selling stolen data.

Hunters has claimed 58 confirmed ransomware attacks since it began, compromising more than 2 million records. It claimed another 188 unconfirmed attacks that weren’t acknowledged by targets.

Hunters claimed three confirmed attacks in December 2024 on Ecritel (France), SmartLynx Airlines (Latvia), and Nikki-Universal (Japan).

Ransomware attacks on US healthcare

Ransomware attacks on US hospitals, clinics, and other care providers can both steal data and lock down systems until a ransom is paid for a key to unlock them. Care providers might have to cancel appointments and divert patients until systems are restored, which can have life-threatening consequences. Doctors might be unable to communicate with patients, write prescriptions, or access medical records.

Comparitech researchers logged 124 confirmed ransomware attacks on US hospitals, clinics, and other care providers in 2024, which compromised 21.4 million individual records. The average ransom demand was $1.06 million.

Yesterday, Comparitech reported on another medical data breach at Teton Orthopedics in Wyoming. That attack was claimed by DragonForce, another ransomware gang.

About Northeast Rehabilitation Hospital Network

Founded in 1984, Northeast Rehabilitation Hospital Network (NRHN) consists of four inpatient hospitals and more than 25 outpatient clinics in Massachusetts and New Hampshire. They provide rehabilitation care for disabling injuries and illnesses. NRHN employs more than 1,000 people, according to its LinkedIn profile.