Johns Hopkins Health System Corporation

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

The Johns Hopkins Health System Corporation experienced a significant data breach that was first discovered on May 31, 2023. The breach affected at least 5,500 individuals initially, but further investigations revealed that over 300,000 people were impacted[1][4]. The breach was a result of a cyberattack targeting the widely used software MOVEit, which is a platform for transferring data files[2][5]. The attack not only affected Johns Hopkins but also impacted many other large organizations around the world[2][5].

The U.S. Office for Civil Rights (OCR) is investigating the incident because it involved “unsecured protected health information” and affected more than 500 people[1]. The breach potentially exposed personal information of employees, students, and patients, although electronic health records were not included[1][2]. The Russian hacker group known as Cl0p ransomware syndicate is believed to be responsible for the cyberattack[1][4].

Johns Hopkins has taken steps to secure its systems and is working with cybersecurity experts and law enforcement to assess the full scope of the attack[2][5]. The institution is in the process of communicating with impacted individuals and is offering two years of free credit monitoring services to help protect against identity theft or fraud[1][2][4]. Those affected can call a designated call center or visit specific websites provided by Johns Hopkins for assistance[1][2].

A class-action lawsuit has been filed against Johns Hopkins Health System, alleging negligence for failing to implement adequate safeguards to protect personal health information and identifiable data[6][7]. The lawsuit claims that the health system was aware of the vulnerability in its MOVEit file transfer software and did not take sufficient measures to secure the data[6][7].

Johns Hopkins has urged its community members to take immediate steps to protect their information, such as monitoring accounts, placing fraud alerts or credit freezes, being wary of suspicious emails, and signing up for credit monitoring services[3][10]. The breach is a reminder of the increasing risk of cyberattacks in the healthcare industry, which has seen a significant rise in data breaches in recent years[3][7].

Citations:

  1. https://www.wbaltv.com/article/johns-hopkins-data-breach-civil-rights-officials-investigation/44734824
  2. https://www.hopkinsmedicine.org/data-attack
  3. https://www.cbsnews.com/baltimore/news/expert-says-johns-hopkins-university-and-health-system-cyberattack-sign-of-the-times/
  4. https://www.wbaltv.com/article/johns-hopkins-data-breach-people-affected/44787414
  5. https://www.wmar2news.com/local/johns-hopkins-impacted-by-widespread-cyberattack-personal-information-may-be-affected
  6. https://www.healthcaredive.com/news/johns-hopkins-hit-with-class-action-suit-data-breach/686650/
  7. https://www.wypr.org/wypr-news/2023-07-19/johns-hopkins-hit-with-class-action-suit-over-cyber-breach
  8. https://www.jhu.edu/data-attack/
  9. https://www.doj.nh.gov/consumer/security-breaches/documents/johns-hopkins-university-health-system-20230721.pdf
  10. https://www.cbsnews.com/baltimore/news/johns-hopkins-university-and-health-system-target-of-cybersecurity-attack/
  11. https://www.baltimoresun.com/2023/06/27/johns-hopkins-university-and-health-system-to-reach-out-to-those-hit-by-moveit-data-breach/
Breach Submission Date Jul 31, 2023
Converted Entity Name Johns Hopkins Health System Corporation
Converted Entity Type Business Associate
State MD
Individuals Affected 2,584
Breach Type Hacking/IT Incident

Breach Information Location Network Server

Business Associate Present Yes