ESO Solutions, a company providing software products to healthcare organizations and fire departments, has recently announced a breach that impacted 2.7 million patients.
What happened
The company, founded in 2004 and based in Austin, Texas, offers cloud-based logistical software, including management for billing, electronic health records, asset management, and more.
According to a recent notification to the Attorney General of Maine, the attack, conducted by a ransomware organization, occurred on September 28th, 2023. The attacker used a tactic called double-extortion; data was first exfiltrated and then the hackers encrypted several company systems.
After an investigation, ESO determined that 2.7 million patients were impacted. Exposed data may include names, dates of birth, phone numbers, medical record numbers, diagnosis information, treatment types, Social Security Numbers, injury information, and procedure information.
Related: New factsheet released to help organizations transition to cloud environments
Going deeper
According to the filed documents, it’s currently believed that 15 healthcare providers have been impacted, including:
- Mississippi Baptist Medical Center
- Community Health Systems Merit Health Biloxi
- Merit Health River Oaks
- ESO EMS Agency
- Forrest Health Forrest General Hospital
- HCA Healthcare Alaska Regional Hospital
- Memorial Hospital at Gulfport Health System
- Providence St. Joseph Health
- Providence Alaska Medical Center
- Universal Health Services Manatee Memorial Hospital
- Desert View Hospital
- Ascension Providence Hospital in Waco
- Tallahassee Memorial
- Manatee Memorial Hospital
- CaroMont Health
Once ESO discovered the breach, they took their affected systems offline, secured their network environment, and began an investigation. ESO was able to utilize their backup systems to restore all systems and operations that had been encrypted.
What was said
In their letter to the Maine Attorney General, ESO said they have been in “frequent communications with its impacted customers to support their response efforts.” They also stated they began notifying impacted clients on December 12th.
In their notice to patients, ESO said they help hospitals and healthcare systems improve operations and are “likely to have your information from when a healthcare organization provided injury or emergency care to you in the past.”
They further stated they have no evidence that “information has been misused.” ESO is offering 12 free months of identity monitoring.
Chief Information Security Officer Jonathan Cummings, the author of the letter further said, “I can assure you that we continue to build on our already substantial investments in cybersecurity to prevent an incident like this from reoccurring and protect you and your information, now and in the future.”
Why it matters
Data breaches that impact organizations beyond the initial victim are becoming increasingly common. Many hospitals rely on third-party organizations for operational tasks, but these organizations still deal with protected health information (PHI). As PHI is found in more systems and networks, the vulnerability of data can increase. Because of the impact on patients and companies alike, healthcare organizations are frequent attack targets.
Larger health service companies like Ardent Health Services are similarly vulnerable, which recently faced a breach.
Read more: Major ransomware attack disrupts Ardent Health Services, affecting 30 hospitals across six states
The big picture
As breaches like these become more common, frequently creating a domino effect of impacted data, lawsuits are similarly mounting. Breaches can have costs far beyond the initial impact, from settlements with the OCR to facing class-action lawsuits. The best method to protect data and remain HIPAA compliant is to do everything possible to prevent an attack before it occurs.
Read more: Surge in health data breach lawsuits is a growing concern
Related: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
