Maternal and Family Health Services

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

Maternal & Family Health Services (MFHS), a nonprofit healthcare organization based in Pennsylvania, experienced a significant cybersecurity incident in 2022, which was identified as a sophisticated ransomware attack. This incident led to the potential exposure of sensitive personal information of current and former patients, employees, and vendors. The breach was first detected on April 4, 2022, but the unauthorized access to MFHS’s systems is believed to have occurred between August 21, 2021, and April 4, 2022[1][3].

The compromised information includes names, addresses, dates of birth, Social Security numbers, driver’s license numbers, financial account/payment card information, usernames and passwords, medical information, and health insurance information[1][3]. Despite the breach, MFHS has stated that there is no evidence that the exposed personal information has been misused[1].

In response to the incident, MFHS engaged specialized third-party forensic incident response firms to secure their systems and conduct a forensic investigation to determine the extent of the breach and identify the data that may have been compromised[1][3]. The organization began notifying potentially affected individuals via U.S. Mail on January 3, 2023, and has offered complimentary credit monitoring and identity theft protection services to those whose Social Security numbers and/or financial account/payment card information may have been involved[1].

MFHS has also established a dedicated phone hotline for individuals with questions about the incident, available Monday through Friday from 9:00 am to 9:00 pm Eastern Time[1]. The organization has taken this incident seriously and is committed to strengthening its systems’ security to prevent future incidents[1].

The breach has affected the personal information of almost half a million people, making it one of the largest data breaches in recent months[6]. MFHS serves the needs of over 90,000 women, men, and children across 17 counties in Northeastern Pennsylvania and employs more than 116 people, generating approximately $14 million in annual revenue[6].

This incident highlights the ongoing risk of ransomware attacks targeting healthcare organizations, which often store sensitive patient, financial, and medical information. It underscores the importance of robust cybersecurity measures and the need for organizations to remain vigilant in protecting their systems and data from unauthorized access.

Citations:

  1. https://www.mfhs.org/important-information-about-maternal-family-health-services-2022-cybersecurity-incident/
  2. https://healthnews.com/news/ransomware-attack-impacts-health-services-organization-in-pennsylvania/
  3. https://techcrunch.com/2023/01/05/maternal-family-health-services-ransomware/
  4. https://www.hipaajournal.com/maternal-family-health-services-sued-over-ransomware-attack-and-data-breach/
  5. https://www.malwarebytes.com/blog/news/2023/01/maternal-family-health-services-discloses-ransomware-attack-months-after-discovery/amp
  6. https://www.jdsupra.com/legalnews/maternal-family-health-services-inc-3327501/
  7. https://www.databreaches.net/pa-maternal-family-health-services-reveals-ransomware-incident/
  8. https://www.darkreading.com/cyberattacks-data-breaches/maternal-family-health-services-issues-notice-of-cybersecurity-incident
  9. https://www.prnewswire.com/news-releases/maternal–family-health-services-issues-notice-of-cybersecurity-incident-301713826.html
  10. https://www.idstrong.com/sentinel/pennsylvania-maternal-family-health-services-breach/
  11. https://www.scmagazine.com/brief/maternal-family-health-services-hit-with-ransomware-attack
  12. https://www.msdlegal.com/blog/2023/01/maternal-and-family-health-services-inc-data-breach-class-action-investigation/
Breach Submission Date Aug 08, 2022
Converted Entity Name Maternal and Family Health Services
Converted Entity Type Healthcare Provider
State PA
Individuals Affected 500
Breach Type Hacking/IT Incident

Breach Information Location Network Server

Business Associate Present Yes