Shields Health Care Group data breach affects 2 million patients

Shields Health Care Group (Shields) suffered a data breach that exposed the data of approximately 2,000,000 people in the United States after hackers breached their network and stole data.

Shields is a Massachusetts-based medical services provider specializing in MRI and PET/CT diagnostic imaging, radiation oncology, and ambulatory surgical services.

According to a data breach notification published on the company's site, Shield became aware of the cyberattack on March 28, 2022, and hired cybersecurity specialists to determine the scope of the incident.

The examination of log files showed that the hackers had access to Shields’ systems from March 7, 2022, to March 21, 2022, allowing them to potentially access data containing the following patient information:

• Full name
• Social Security number
• Date of birth
• Home address
• Provider information
• Diagnosis
• Billing information
• Insurance number and information
• Medical record number
• Patient ID
• Other medical or treatment information

The above information can be used for social engineering, phishing, scamming, and even extortion, depending on the case, and is generally considered extremely sensitive information.

Shields says it has seen no evidence that any stolen information has been misused or disseminated on illegal channels. However, it might be too early for that data to be circulated publicly.

Typically, stolen information of this kind is bartered privately and used in small-scale, targeted attacks before it is resold to lower-tier threat actors who engage in bulk exploitation.

Massive impact

While the notice doesn’t determine how many patients were affected by the incident, Bleeping Computer learned that two million people were affected from the Office for Civil Rights portal of the U.S. Department of Health.

Due to Shields’ business type relying upon partnerships with hospitals and medical centers, the consequences of the security incident are far-reaching and impact 56 facilities and their patients.

Some notable examples include the Tufts Medical Center, the Emerson Hospital, the Winchester Hospital, the Falmouth Hospital, and the Central Maine Medical Center.

The complete list of impacted medical facilities is included in the data security incident notice published on the service provider’s website.

Shields doesn’t have a direct relationship with the impacted individuals but plans to inform them directly when its examination of the incident has been completed. In the meantime, the company has notified federal law enforcement and the relevant state regulators.

The best thing that potentially impacted individuals can do now is verify if they used medical services in the facilities listed on Shield’s notice, and then follow the enclosed instructions to claim your free yearly credit reporting services.