Shields Health Care Group, Inc. (Shields), a family-owned and operated medical provider group based in Quincy, Massachusetts, reported a cyber breach to the U.S. Department of Health and Human Services. The group has been around for 50 years and has over 30 facilities throughout New England.  It offers MRI, PET/CT, and outpatient surgical services, according to its website.   Its services include management and imaging services on behalf of numerous health care facilities and business associates of covered entities.  According to the HHS’ Breach Portal, Shields reported that 2,000,000 individuals were possibly affected by the cyber breach.

Shields posted a notice to its website explaining the breach and the actions affected individuals can take.  According to the notice, on March 28, 2022, Shields was alerted to suspicious activity potentially involving compromised data.  Shields worked with subject matter specialists to perform an investigation.  The investigation determined that an unknown actor accessed some of Shields’ systems from March 7, 2022 to March 21, 2022.  Shields notes that its investigation determined that certain information was acquired or exfiltrated by the unknown actor while it had access to Shields’ system.  The data compromised includes names, social security numbers, dates of birth, provider information, diagnoses, patient ID’s, and other sensitive information, including medical or treatment information.  According to the notice on its website, Shields has no evidence to indicate that the information exposed or acquired was used to commit theft or fraud.  Shields also “took steps to secure our systems, including rebuilding certain systems, and conducted a thorough investigation to confirm the nature and scope of the activity and to determine who may be affected.”

Cyber breaches, especially in the health care industry, will continue to plague companies of all sizes.  Chilivis Grubman attorneys routinely discuss cyber-related developments.  In May 2022, CG attorneys discussed the ARcare data breach that potentially affected over 345,000 individuals.  Cyber-related incidents are showing no signs of a decline.  In January 2022, CG attorneys discussed the HIPAA Journal’s December 2021 Healthcare Data Breach Report, which indicated there were 70 more data breaches in the healthcare industry in 2021 than in 2020.

Cyber threats are here to stay.  Companies in all industries, especially those handling and storing sensitive personal data, should try to safeguard data, ensure proper employee training, and develop a breach response process that is tested, rehearsed, and updated.

The attorneys at Chilivis Grubman represent clients of all sizes in connection with data breaches and cybersecurity matters, including regulatory obligations and litigation arising therefrom.  If you need assistance with such a matter, please contact us today.