Community Health Center (CHC), a major Connecticut healthcare provider, has announced a significant healthcare provider data breach affecting over 1 million patients.
This data breach at Connecticut’s leading healthcare organization exposed sensitive personal and health information. The non-profit CHC, providing primary medical, dental, and mental health services to more than 145,000 active patients, discovered the breach on January 2, 2025.
The breach, initially occurring in mid-October 2024, went undetected for over two months.
According to a Thursday filing with Maine’s attorney general, unknown attackers accessed CHC’s network and stole files containing the personal and health information of 1,060,936 individuals. This healthcare data breach involved a wide range of data.
The stolen data included personal information such as names, dates of birth, addresses, phone numbers, email addresses, and Social Security numbers. Health information compromised included medical diagnoses, treatment details, test results, and health insurance information.
The breach impacted current and former patients, and all individuals who received COVID tests or vaccines at a CHC clinic. CHC stated that the attackers did not encrypt any systems and that the breach did not disrupt daily operations.
“Fortunately, the criminal hacker did not delete or lock any of our data, and the criminal’s activity did not affect our daily operations, We believe we stopped the criminal hacker’s access within hours, and that there is no current threat to our systems.” CHC reported.
Investigators determined that “a skilled criminal hacker” was responsible for the attack.
While CHC maintains that no systems were encrypted, the incident highlights a shift in ransomware tactics. Many ransomware operations now prioritize data theft and extortion over data encryption.
This trend was noted by Avast, whose release of a free decryptor in January 2023 led to the BianLian ransomware gang abandoning file encryption. A joint advisory from CISA, the FBI, and the Australian Cyber Security Centre confirmed this shift in November 2024.
This healthcare provider data breach follows other significant incidents in the US healthcare sector. The New York Blood Center recently reported a ransomware attack that forced appointment rescheduling, and UnitedHealth disclosed that approximately 190 million Americans had their personal and healthcare data stolen in last year’s Change Healthcare ransomware attack.
In response to the increasing number of massive healthcare security breaches, the U.S. Department of Health and Human Services (HHS) proposed HIPAA updates in late December to enhance the security of patients’ health data.
The US healthcare data security concern is prompting significant regulatory changes as the Connecticut healthcare provider data breach underscores the ongoing need for robust cybersecurity measures within the healthcare industry.
