Data Breach Notification,
Data Privacy,
Data Security
RansomHub Data Breach Affects Tens of Thousands at HCF Facilities
A significant data breach affecting a network of over two dozen skilled nursing and rehabilitation facilities has left tens of thousands of patients vulnerable after a cyber-attack attributed to the Russian-speaking group known as RansomHub. Reports indicate that the gang has leaked approximately 250 gigabytes of stolen data.
HCF Management, which operates healthcare and nursing facilities in Ohio and Pennsylvania, has informed federal and state regulators of at least 25 distinct data breaches connected to the incident as of January 9, 2025. Initial disclosures reveal that nearly 70,000 individuals’ data was exposed during the breach, with Heritage Health Care, an HCF home healthcare subsidiary, experiencing the largest breach impacting 12,162 individuals. The Hemfield Manor rehabilitation facility in Pennsylvania reported the highest individual case count, with 4,744 patients affected.
The HCF reports indicate that RansomHub added HCF to their dark web site on October 29, 2024, boasting about the stolen data’s volume. The breach was linked to unauthorized access gained on September 17, 2024, when cybercriminals infiltrated HCF’s IT systems. The breach was confirmed when HCF discovered on October 3 of the same year that a third party had compromised their systems.
In the weeks following the incident, investigations indicated that sensitive patient data—including names, addresses, dates of birth, Social Security numbers, and health insurance information—could have been accessed. Legal actions against HCF have already begun, with at least two proposed federal class action lawsuits citing negligence regarding data security practices.
The tactics potentially employed in this attack align with the MITRE ATT&CK framework. It is likely that the adversaries utilized techniques such as initial access—gaining entry into systems through phishing or exploiting vulnerabilities. Following this, they may have engaged in persistence methods to maintain a foothold within the network, and privilege escalation strategies to access higher permissions, leading to sensitive data acquisition.
As organizations in the healthcare sector confront ongoing cybersecurity risks, the HCF breach underscores the vulnerabilities prevalent in healthcare operations. Cybercriminals continue to target this industry, leveraging ransomware attacks to exploit unsecured systems, as evidenced by the substantial number of breaches reported in 2024.
This incident also reflects a larger trend within the industry; healthcare ranked third among sectors most affected by ransomware attacks last year, following manufacturing and professional services according to a recent report by Black Kite.
As HCF navigates the aftermath of the breach and potential legal ramifications, it serves as a stark reminder of the critical need for robust cybersecurity measures within healthcare systems to safeguard sensitive patient information from increasingly sophisticated cyber threats.
