Personal data of 617,000 patients exposed in NJ hospital cyberattack

🔴 CentraState said an "unauthorized person" obtained a copy of an archived database that stored patient information.

🔴 617,000 impacted patients are being notified

🔴 The information included Social Security numbers, health insurance and doctor notes

The veil of secrecy around a cyberattack at CentraState Medical Center was lifted to reveal that personal data of 617,000 patients on an archived database was stolen during the breach in December.

The hospital first reported an "IT security issue" on Dec. 30 that affected some hospital services including the admission of emergency room patients but did not disclose details about the issue.

In a statement issued Friday, the hospital said an investigation found that an "unauthorized person" obtained a copy of an archived database that stored patient information. The statement did not disclose who was responsible for the theft or if any charges were filed.

The information exposed varied by individual but potentially included a treasure trove of personal information including name, address, date of birth, Social Security numbers, health insurance information, medical record numbers, patient account numbers, doctor notes, information on care received at CentraState and prescription information.

No financial or payment information was kept in the archive.

The hospital began mailing letters to affected patients Friday offering free credit monitoring and identity theft protection services to individuals whose Social Security number was involved.

"CentraState deeply regrets any concern this incident may have caused and is continually enhancing the security of its electronic systems and the patient data it maintains to help prevent events such as this from occurring in the future," the hospital said in a statement.

Detecting something wrong

The hospital said it first detected "unusual activity" with its computer systems on Dec. 29 and worked with a forensics firm to investigate. It also reported the incident to law enforcement including the FBI.

In the hours after the breach was discovered the hospital went on divert and was not accepting new patients.

CentraState was vague in the information it released about the incident and would not disclose details about the impact of the cyberattack on its network or what agencies were involved in the investigation.

On its website after the New Year's Day holiday, the hospital listed impacts on its outpatient radiology and radiation treatments. Mammographies were canceled and CentraState Labs was open with no appointment necessary. Those impacts became less and less over several days.

CentraState President and CEO Tom Scott told NBC 4 New York that "irregularities" were detected in the hospital's computer systems, which were shut down. Paper forms that had been stored for emergency use were pressed into service to take patient information. Scott said some patient records were still accessible but administrative staffing was increased to handle the paperwork.

 Hospitals warned about cyberattacks

The American Hospital Association before Christmas told its members about warnings from the FBI, National Security Agency and other groups about ransomware and other cyber threats targeting healthcare systems.

John Riggi, AHA national advisor for cybersecurity and risk, said "foreign cyber gangs and spies" were testing the resiliency of hospitals especially as hospitals began to  fill up at the time because of the "tripledemic" and increased cases of RSV, flu and COVID-19 cases.

“Our cyber adversaries believe we may pause for the holidays, which may result in their increased targeting of hospitals and health systems as we have seen around past holidays,” Riggi said in a statement. “But our hospitals never close and our network defenders never cease their vigilance.

Schools, and municipalities attacked this year

🖥️ The Bridgewater-Raritan Regional School District disclosed the details about a "service disruption" in December found to expose the names and Social Security numbers of district employees and others who are in the district's insurance plan, according to a media release obtained by MyCentralJersey.com.

🖥️ The Monroe Township school district in Gloucester County closed for several days at the end of November because of problems with the school's internet and WiFi connection.

A message from Superintendent Susan Ficke said the problem was caused by an “unauthorized third party,” according to 6 ABC Action News.  There would be “logistical and safety concerns” if classes were held without an internet connection, according to Ficke's message.

🖥️ A problem with internal servers at the Hudson County Schools of Technology campuses in Secaucus and Jersey City was blamed for taking down its network in early December.

🖥️ The Tenafly school district was also the victim of a ransomware attack in June.

🖥️ Several New Jersey government agencies have fallen victim to cyberattacks, including Somerset County, whose entire IT system was taken down in May.

🖥️ East Windsor Township's system was attacked in March.

Dan Alexander is a reporter for New Jersey 101.5. You can reach him at dan.alexander@townsquaremedia.com

Click here to contact an editor about feedback or a correction for this story.