185K people's sensitive data in the pits after ransomware raid on Cherry Health

Extent of information seized will be a concern for those affected

Ransomware strikes at yet another US healthcare organization led to the theft of sensitive data belonging to just shy of 185,000 people.

Michigan-based Cherry Health reported a data breach to regulators on Wednesday caused by a ransomware attack back in December 2023.

The health center, which operates across six counties within the state, also revealed the scale of the sensitive data stolen by the group. In addition to names, email and home addresses, phone numbers, and dates of birth, data that could be used to increase the perceived legitimacy of a phishing campaign was also gathered:

All of these data points were mentioned in a template notification letter [PDF] prepared for bulk distribution. However, Cherry Health's report to the Office of the Maine Attorney General suggests that simply listing "financial account information" may have been underplaying the severity here.

The filing in Maine mentioned bank account or credit/debit card numbers were stolen in combination with one of the following: security code, access code, password, or PIN for the account.

The healthcare organization said in the letter: "We take the privacy of information in our care very seriously. At this time, there is no evidence that any of your information has been, or will be, misused. In an abundance of caution, we are providing you information about the incident, our response, and steps you can take to further protect your information should you feel it is necessary to do so.

"On December 21, 2023, Cherry Health experienced a network disruption, that affected our ability to access certain systems. Upon learning of this, we immediately began an investigation with the support of third-party specialists. Through the investigation, we learned that some data we maintain was accessed improperly. We then took steps to determine the types of information that were at risk and the individuals to whom it pertained. On March 25, 2024, this process was completed, and we worked to notify you as soon as possible."

Individuals caught up in the data breach have been offered the requisite 12 months of credit monitoring, and according to the HTML in the letter template, it seems some may be offered up to 24 months.

The attack type was listed as ransomware, but no criminal crew has yet stepped forward to claim responsible.

However, in common ransomware scenarios, stolen data is used as leverage to extort a victim. If they pay, the data doesn't get published – it's known as the double extortion method, which has proven quite successful for criminals in recent years.

The attack comes fresh off the heels of the massively disruptive incident at Change Healthcare, which this week was revealed to have cost parent company UnitedHealth $872 million in remediation costs to date. ®

Send us news

Frontier Communications: 750k people's data stolen in April attack on systems

Company says just names and SSNs affected, watering down RansomHub’s claims

Uncle Sam ends financial support to orgs hurt by Change Healthcare attack

Billions of dollars made available but worst appears to be over

White House report dishes deets on all 11 major government breaches from 2023

The MOVEit breach and ransomware weren’t kind to the Feds last year

Blackbaud has to cough up a few million dollars more over 2020 ransomware attack

Four years on and it's still paying for what California attorney general calls 'unacceptable' practice

What is RansomHub? Looks like a Knight ransomware reboot

Malware code potentially sold off, tweaked, back at it infecting victims

Christie's stolen data sold to highest bidder rather than leaked, RansomHub claims

Experts say auctioning the auctioneer’s data is unlikely to have been genuinely successful

Cops cuff 22-year-old Brit suspected of being Scattered Spider leader

Spanish plod make arrest at airport before he jetted off to Italy

London hospitals left in critical condition after ransomware attack

Pathology lab provider targeted, affecting blood transfusions and surgeries

Ukrainian cops collar Kyiv programmer believed to be Conti, LockBit linchpin

28-year-old accused of major ransomware attacks across Europe

UK and Canada's data chiefs join forces to investigate 23andMe mega-breach

Three-pronged approach aims to uncover any malpractice at the Silicon Valley biotech biz

NHS boss says Scottish trust wouldn't give cyberattackers what they wanted

CEO of Dumfries and Galloway admits circa 150K people should assume their details leaked

Pure Storage pwned, claims data plundered by crims who broke into Snowflake workspace

Secure storage company hasn't spilled details on how they got in