On December 18, 2023, SRHS confirmed the breach compromised data of 252890 patients, all of whom were notified through mails on January 12, 2023. Similar notifications were sent on May 13, 2024, this time to the 25 Maine patients, confirming the new estimate.

“Through the investigation, Singing River identified unauthorized access within its environment between August 16 and August 18, 2023,” SRHS said in the notice. “Although we have no indication of any misuse of your personal information as a result of this event, out of an abundance of caution, we are providing notice to individuals who may have been impacted.”

The attack was claimed by the Rhysida ransomware gang, a notorious threat group that has hacked other healthcare systems including the Lurie Children’s Hospital and Prospect Medical Holdings — although its targets have also included educational institutions, manufacturing industry, and the Chilean army, according to a report by the HHS Health Sector Cybersecurity Coordination Center.   

Breached data include patient health information

The breach compromised personal as well as health data of Singing River patients, including name, date of birth, address, Social Security number, medical information, and health information.

“Singing River has no evidence that any of your information was used for identity theft or fraud,” the company said in the notice. “We encourage potentially impacted individuals to remain vigilant against incidents of identity theft and fraud by reviewing their accounts, explanations of benefits, and credit reports for suspicious activity, and to report any suspicious activity to the affiliated institutions immediately.”

However, according to a report by Bleeping Computer, the Rhysida group has released 80% of the data it holds from the SRHS breach, which included a over 420,000 files amounting to more than 754 GB of data.