2 million affected in Shields Health Care Group cyberattack

Two million people who sought care at more than 50 Shields Health Care Group partners across the New England region may have had their personal data exposed after the company’s network server was breached in March.

The cyberattack occurred between March 7 and March 21 and was discovered March 28, the healthcare group said Tuesday.

The breach is the largest of the year in healthcare, according to the U.S. Department of Health and Human Services Office for Civil Rights’ breach portal, surpassing the January breach of the North Broward Hospital District in Florida that affected more than 1.3 million people.

Shields, which provides imaging services and outpatient surgical services, said the affected facility partners include Emerson Hospital, Tufts Medical Center and Central Maine Medical Center. Compromised information includes full names, Social Security numbers, dates of birth, home addresses, provider information, diagnoses, billing information, insurance numbers, medical record numbers and patient IDs, it said.

However, Shields said it has no evidence that personal information was used for theft or fraud.

Shields reported the breach to HHS’ Office for Civil Rights on May 27, according to the HHS breach portal. HHS gives entities covered by the Health Insurance Portability and Accountability Act 60 days from when they discover a data breach to notify the department.

Shields did return a request for comment.

Hacking and IT incidents resulting in breaches like that of Shields’ accounted for nearly three-quarters of healthcare data breaches in 2021, including 10 of last year’s largest breaches.