US-based health and human services organization Maternal & Family Health Services (MFHS) has reported being hit by a ransomware attack.
The non-profit made the announcement on Thursday, saying its systems were compromised between August 21, 2021, and April 4, 2022.
An investigation launched in April last year revealed the attack may have exposed sensitive information to an unauthorized individual.
This personal information included names, addresses, dates of birth, social security numbers, driver's license numbers and financial account/payment card information. Also, usernames and passwords, medical information and/or health insurance information.
Despite the attacks occurring roughly a year ago, MFHS started issuing letters to potentially impacted individuals only on January 3, 2023.
"This latest breach [...] highlights the fact that HIPAA and HITECH are not sufficient to protect patient privacy," warned SafeBreach CISO Avishai Avivi.
"Another worrying sign is that it took almost eight months from the discovery of the breach before the organization started reaching out to individuals potentially impacted."
Avivi added he believes regulations must be tightened to follow the lead from the financial industry.
"This includes shorter notification windows, as well as stronger defenses. The fact that a ransomware attack was able to impact patient data would indicate that Maternal & Family Health did not validate their controls against such attacks."
Writing in a press release, MFHS CEO Maria Montoro Edwards said the non-profit took the protection of patients' and employees' personal information seriously.
"We understand the inconvenience or concern this incident may cause and are committed to strengthening our systems' security to prevent this kind of incident from happening again."
The organization is also offering credit monitoring and identity theft protection services to individuals whose Social Security number or financial account/payment card information may have been involved in the incident.
"The patients will not only need credit monitoring but also [to] be vigilant in emails they receive, making sure they understand what to look for in the links for emails," James McQuiggan, security awareness advocate at KnowBe4, told Infosecurity.
"If it's an email they're not expecting, and even if they know the person, they should take great care in checking the links to avoid their cyber-attack."
The disclosure of the attack comes weeks after the ransomware group known as Royal was exposed targeting healthcare organizations in the US.