Keystone Health says hackers accessed files containing sensitive patient information such as Social Security numbers.
Pennsylvania-based healthcare service provider Keystone Health suffered a major data breach exposing the protected health information (PHI) of close to a quarter of a million people.
According to Keystone, the organization suffered from a cybersecurity incident that it noticed on August 19 when it interfered with Keystone’s IT systems. Subsequent investigation revealed threat actors were lurking in the organization’s systems for three weeks.
“Our investigation found that an unauthorized party accessed files within our system between July 28, 2022 and August 19, 2022. Some of those files contained patient information, including names, Social Security numbers, and clinical information,” Keystone said in a statement.
Last week the organization notified the US Department of Health and Human Services Office for Civil Rights about the incident, estimating that the breach impacted over 235,000 people.
Keystone Health primarily serves Franklin County in the state of Pennsylvania. The organization provides various services to its customers, ranging from dental care to pharmaceuticals. Keystone generates around $35m in yearly revenue.
The organization is the latest addition to the list of healthcare providers targeted by hackers. In early October, CommonSpirit Health, the second-largest non-profit hospital chain in the US, reported an IT security issue impacting its facilities.
Threat actors often target hospitals since most healthcare organizations have scant cybersecurity budgets and are extremely sensitive to downtime. Hospitals also store extremely sensitive data, making it valuable in the hands of threat actors.
A recent survey showed that two-thirds of healthcare organizations were hit by a ransomware attack last year. The number of affected organizations in the field doubled from 34% in 2020 to 66% last year.
The survey indicates that ransomware attacks against healthcare have become so frequent that some insurers either refuse to take in hospitals or leave the market altogether.
More from Cybernews:
Subscribe to our newsletter