Community Health Center (CHC), a leading Connecticut healthcare provider, is notifying over 1 million patients of a data breach that impacted their personal and health data.
The non-profit organization provides primary medical, dental, and mental health services to more than 145,000 active patients.
CHC said in a Thursday filing with Maine’s attorney general that unknown attackers gained access to its network in mid-October 2024, a breach discovered more than two months later, on January 2, 2025.
While the threat actors stole files containing patients’ personal and health information belonging to 1,060,936 individuals, the healthcare organization says they didn’t encrypt any compromised systems and that the security breach didn’t impact its operations.
Investigators hired to assess the incident’s impact and secure CHC’s systems found that “a skilled criminal hacker” was behind the attack.
“Fortunately, the criminal hacker did not delete or lock any of our data, and the criminal’s activity did not affect our daily operations. We believe we stopped the criminal hacker’s access within hours, and that there is no current threat to our systems,” CHC added.
Depending on the affected patient, the attackers stole a combination of:
- personal (names, dates of birth, addresses, phone numbers, emails, Social Security numbers) or
- health information (medical diagnoses, treatment details, test results, and health insurance.
A CHC spokesperson was not immediately available when BleepingComputer reached out for more details on the incident.
While CHC said the hackers didn’t encrypt any of its systems, more ransomware operations have switched tactics to become data theft extortion groups in recent years.
For instance, the BianLian ransomware gang gradually abandoned file encryption after Avast released a free decryptor in January 2023. A joint advisory issued by CISA, the FBI, and the Australian Cyber Security Centre also confirmed this in November 2024.
This week, the New York Blood Center (NYBC), one of the world’s largest independent blood collection and distribution organizations, also disclosed that a Sunday ransomware attack forced it to reschedule some appointments.
Over the weekend, UnitedHealth also revealed that roughly 190 million Americans had their personal and healthcare data stolen in last year’s Change Healthcare ransomware attack, nearly doubling the previous figure of 100 million disclosed in October.
In response to this surge of massive healthcare security breaches, the U.S. Department of Health and Human Services (HHS) proposed updates to HIPAA (short for Health Insurance Portability and Accountability Act of 1996) in late December to secure patients’ health data.
