Texas hospital hit by cyberattack that exposed data on 257K patients to hackers
A hospital in Texas revealed that it’s fallen victim to a data breach that exposed the personal information of more than 257,000 patients to hackers.
Nacogdoches Memorial Hospital—an independent health system in Texas consisting of one emergency-capable facility, several affiliated provider practices, and a rehabilitation center—made the breach public this week.
The incident occurred on Jan. 31—or at least, that’s when Nacogdoches Memorial staff became aware of an ongoing cyberattack.
At that time, the hospital said it notified law enforcement, initiated an “incident response plan” and began an investigation to find out what happened. As for details such as the nature of the breach and who was responsible, neither a statement from Nacogdoches Memorial nor a report filed with the Office of the Maine Attorney General contain those details.
To date, no known listing of the data trove on the dark web exists, and no hacker group has claimed responsibility for the cyberattack. Whether or not the data will eventually end up leaked onto the Internet or put up for sale remains unknown—but given the scope of the breach and the black market value of the stolen information, it’s not out of the realm of possibility.
Sensitive data on patients accessed by hackers included both medical and personal information, including names, addresses, email addresses, dates of birth, Social Security numbers, and possibly even photos of the patient used for record keeping. Medical record numbers, details on health plans, and other account numbers were accessed.
There is no mention in either the report to the state of Maine nor the statement from Nacogdoches Memorial of full medical details being stolen, such as diagnoses and treatment histories.
“We sincerely regret any concern or inconvenience that this matter may cause [to] patients and remain dedicated to protecting patients’ personal information,” the hospital wrote.
It’s also not clear if some of the stolen data came from employees or if it’s entirely limited to patients.
Nacogdoches Memorial said it began sending notices to those impacted on March 31. To date, the organization confirmed that it’s unaware of any incident of identity theft or other nefarious activity linked to the breach.
The hospital declined to offer complimentary identity protection and credit monitoring services, as is customary when organizations experience a data theft incident.
Across its total of seven locations, it serves 60,000 patients per year.
Method of attack not revealed
It’s not clear if hackers deployed ransomware or used another method to breach hospital servers. Nacogdoches Memorial did not disclose which systems were accessed or how intruders entered its network.
The health system did say that it fortified its cyberdefenses to “prevent a similar event from occurring in the future.”
HealthExec reached out to Nacogdoches Memorial for additional information.
Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.