It’s bad enough experiencing one ransomware attack. Imagine experiencing two, because that’s what Episcopal Retirement Services (ERS) in Ohio has been dealing with.
On or about September 24, ERS discovered that i had been the victim of what it describes as a cyberattack that impacted its systems and servers. Then on October 22, they experienced what they describe as another incident that was determined to be a ransomware incident.
At this time, ERS also learned that the September incident was a ransomware attack.
ERS’s investigation is ongoing, and their external counsel reports that ERS has not determined how its systems were accessed.
The notification by Whiteford, Taylor, & Preston LLP to the Maine Attorney General’s office does not indicate what type or types of ransomware were involved, or what any ransom demands might have been. Nor has ERS shown up on any dedicated leak site where threat actors might disclose their attacks.
The incident(s) resulted in the exposure and potential acquisition of protected health information (PHI). While the types of PHI vary by individual, it could include first and last names, addresses, gender, social security numbers, phone numbers, and dates of birth. The information potentially impacted also may have included medical diagnoses, health care provider name, insurance numbers, and Medicare number.
ERS plans to notify 4,133 patients, but since the investigation is ongoing, the number may change.
Additional information is included in the notice on their website.
Read the article