Cherry Health hit by ransomware attack


Cherry Street Services (Cherry Health), a US-based healthcare provider, has fallen victim to a ransomware attack in which the data of 185,000 people was improperly accessed.

In a data breach notification letter dated April 16th, 2024, Cherry Health states that it experienced “a recent data security incident” involving patients' personal data.

"On December 21st, 2023, Cherry Health experienced a network disruption that affected (its) ability to access certain systems,” it wrote.

ADVERTISEMENT

According to data that the healthcare provider submitted to the Maine Attorney General, Cherry Health suffered from a ransomware attack. Ransomware gangs operate by infiltrating the victim’s networks, siphoning and encrypting data, and later demanding a ransom payment to return the stolen data.

Upon discovery, Cherry Health investigated the data security incident with the support of third-party specialists. Where they found that “some data (it) maintain(s) was accessed improperly.”

The data involved includes first names and last names in combination with one or more of the following data elements:

  • Names
  • Addresses
  • Phone numbers
  • Dates of birth
  • Health insurance information
  • Health insurance ID numbers
  • Patient ID numbers
  • Provider names
  • Service dates
  • Diagnosis/treatment information
  • Prescription information
  • Financial account information
  • Social Security numbers

Attackers target healthcare providers precisely for this type of information, as individual healthcare data can be sold for hundreds of dollars on dark web forums.

For example, malicious actors can use medical details to commit medical identity theft, a type of fraud in which threat actors use stolen information to submit forged claims to Medicare and other health insurers.

Other personally identifiable information (PII) may be used to commit fraud, from identity theft and phishing attacks to opening new credit accounts, making unauthorized purchases, or obtaining loans under false pretenses.

Cherry Health urges affected individuals to “remain watchful for potential incidents of identity theft and fraud” by observing credit reports and account statements.

ADVERTISEMENT

Cherry Health operates in six counties across the states, includes a team of over 800 healthcare professionals at 20 locations, and generated approximately $27 million in revenue in 2023.