185K people's sensitive data in the pits after ransomware raid on Cherry Health

Ransomware strikes at yet another US healthcare organization led to the theft of sensitive data belonging to just shy of 185,000 people.

Michigan-based Cherry Health reported a data breach to regulators on Wednesday caused by a ransomware attack back in December 2023.

The health center, which operates across six counties within the state, also revealed the scale of the sensitive data stolen by the group. In addition to names, email and home addresses, phone numbers, and dates of birth, data that could be used to increase the perceived legitimacy of a phishing campaign was also gathered:

• Health insurance information

• Health insurance ID number

• Patient ID number

• Provider name

• Service date

• Diagnosis/treatment information

• Prescription information

• Financial account information and/or social security numbers

All of these data points were mentioned in a template notification letter [PDF] prepared for bulk distribution. However, Cherry Health's report to the Office of the Maine Attorney General suggests that simply listing "financial account information" may have been underplaying the severity here.

The filing in Maine mentioned bank account or credit/debit card numbers were stolen in combination with one of the following: security code, access code, password, or PIN for the account.

• MGM says FTC can't possibly probe its ransomware downfall – watchdog chief Lina Khan was a guest at the time
• Change Healthcare's ransomware attack costs edge toward $1B so far
• Change Healthcare faces second ransomware dilemma weeks after ALPHV attack
• Nearly 1M medical records feared stolen from City of Hope cancer centers

The healthcare organization said in the letter: "We take the privacy of information in our care very seriously. At this time, there is no evidence that any of your information has been, or will be, misused. In an abundance of caution, we are providing you information about the incident, our response, and steps you can take to further protect your information should you feel it is necessary to do so.

"On December 21, 2023, Cherry Health experienced a network disruption, that affected our ability to access certain systems. Upon learning of this, we immediately began an investigation with the support of third-party specialists. Through the investigation, we learned that some data we maintain was accessed improperly. We then took steps to determine the types of information that were at risk and the individuals to whom it pertained. On March 25, 2024, this process was completed, and we worked to notify you as soon as possible."

Individuals caught up in the data breach have been offered the requisite 12 months of credit monitoring, and according to the HTML in the letter template, it seems some may be offered up to 24 months.

The attack type was listed as ransomware, but no criminal crew has yet stepped forward to claim responsible.

However, in common ransomware scenarios, stolen data is used as leverage to extort a victim. If they pay, the data doesn't get published – it's known as the double extortion method, which has proven quite successful for criminals in recent years.

The attack comes fresh off the heels of the massively disruptive incident at Change Healthcare, which this week was revealed to have cost parent company UnitedHealth $872 million in remediation costs to date. ®