A cyber-attack on an Ohio-based health system may have exposed the protected health information (PHI) of 216,478 patients.

Memorial Health System was hit with ransomware in the early hours of August 15 2021. The incident forced the health system to suspend user access to all information technology applications related to its operations.

The disruption caused surgical cases and radiology exams to be canceled and placed Memorial Health System emergency departments on diversion.

Speaking at the time of the incident, Memorial Health System president and CEO Scott Cantley said: “Staff at our hospitals – Marietta Memorial, Selby and Sistersville General Hospital – are working with paper charts while systems are restored, and data recovered.”

A press statement, released three days after news of the ransomware attack broke, gave the impression that Memorial Health System had opted to pay its attackers.

“We have reached a negotiated solution and are beginning the process that will restore operations as quickly and as safely as possible,” said Cantley in the August 18 statement.

He added: “We are following a deliberate, systematic approach to bring systems back online securely and in a manner that prioritizes our ability to provide patient care.”

An investigation into the security incident determined that attackers had broken into the health system’s network on July 10 2021, then waited a month to deploy ransomware.

In September last year, Memorial Health System discovered that the patients’ data might have been accessed and exfiltrated in the incident. A review of what files the threat actors could have accessed was carried out. 

By December 9 2021, it had become clear that patients’ names, addresses, Social Security numbers, medical/treatment information and health insurance information may have been viewed and stolen.

Memorial Health System began notifying impacted patients via letter on January 12 2022. Individuals affected by the data breach have been offered a complimentary 12-month membership to Kroll’s credit monitoring service. 

Jennifer Offenberger, associate vice president of service excellence at Memorial Health System, said: “While the extensive investigation with the FBI and cybersecurity teams indicates no reason to suspect there has been any fraudulent use or public release of patient information associated with this incident, we are notifying patients whose information may have been accessible during the breach.”