Zoll Medical says intruders had 1M+ patient, staff records at their fingertips

Medical device and software maker Zoll Medical says the personal and health information of more than a million people, including patients and employees, may have been stolen by crooks in January.

In documents submitted to officials in US states, and letters sent out to those people affected, Zoll said that on January 28 the biz detected “unusual activity” on its internal network and confirmed an intrusion on February 2.

The data that could have been pored over or exfiltrated includes the names, addresses, birth dates, and Social Security numbers of current and former employees and patients, they wrote in a March 10 letter which is included in the state filings. In addition, miscreants seeing this information may be able to infer that some of those people either used or considered using a Zoll product, the LifeVest wearable cardioverter defibrillator.

Officials with Zoll, a company owned by Japanese multinational chemical company Asahi Kasei and based in Chelmsford, Massachusetts, said in the letter that there was no indication that the exposed information has been misused.

“We consulted with third-party cybersecurity experts to assist with our response to and remediation of the incident, and we notified law enforcement and federal and state regulatory agencies as required by law,” they wrote.

It was unclear what kind of attack led to the data breach, whether the information was exfiltrated or a ransom demanded, or how the cybercriminals were able to get into the company’s internal network. While data loss incident reporting is required by Maine law, giving out the technical details is not.

The Register has contacted Zoll for additional information. We’ll update the story if there is a response.

Healthcare and related organizations continue to be a target of threat groups given the enormous amount of personal and health data they hold, the large numbers of connected devices they use, and their broad and differing range of cybersecurity capabilities. It also helps that their insurance providers often encourage them to pay up, although that appears to be changing.

Critical Insight, a cybersecurity-as-a-service provider, found that in the second half of 2022, while the number of data intrusions declined 9 percent over the first six months of the year, the number of individual records exposed during breaches jumped 35 percent, reaching 28 million.

A Check Point report found that healthcare was among the top three targeted sectors of cyberattacks in 2022, along with education and government.

There are a number of ransomware groups that specifically target healthcare organizations. The FBI took down one of them – Hive – in late January, but others like Royal are still out there and active.

Recent data losses involving health information include attacks on Southern California facilities that affected more than three million patients and on DC Health Care Link, which administers the healthcare plans for members of Congress, their families and staffs.

In the wake of the breach, Zoll is offering patients whose Social Security numbers were exposed 24 months of Experian’s IdentityWorks identity protection and credit monitoring program for free and 36 months for current and former employees and their dependents.

This isn’t the first data breach Zoll has had to deal with. In late 2018, the health and personal data of more than 277,000 patients was exposed by a configuration error during a server migration by third-party vendor Barracuda Networks, leading to a lawsuit. The incident exposed some of Zoll’s archived emails in November and December that year. ®

READ MORE HERE