back to top

Healthcare Software Provider ESO Solutions Faces Ransomware Attack: 2.7 Million Patient Records Compromised

Last week, ESO Solutions, a company specializing in software for healthcare providers, fell victim to a ransomware attack and data breach. The incident, occurring in late September 2023, impacted a machine containing sensitive data, potentially compromising 2.7 million US patients.

The breach was revealed by ESO Solutions, raising concerns about the security of patient information. Unfortunately, the company did not provide specific details regarding the breach’s entry point, leaving questions about whether it resulted from social engineering or malware.

ESO Solutions serves various healthcare entities, such as hospitals and clinics across the United States. Notable victims of the breach include Mississippi Baptist Medical Center, Community Health Systems Merit Health Biloxi, Merit Health River Oaks, ESO EMS Agency, Forrest Health Forrest General Hospital, HCA Healthcare Alaska Regional Hospital, and Memorial Hospital at Gulfport Health System.

This security incident underscores the vulnerability of healthcare organizations to cyber threats and emphasizes the urgent need for robust cybersecurity measures in safeguarding patient data.

Affected Institutions
Mississippi Baptist Medical Center
Community Health Systems Merit Health Biloxi
Merit Health River Oaks
ESO EMS Agency
Forrest Health Forrest General Hospital
HCA Healthcare Alaska Regional Hospital
Memorial Hospital at Gulfport Health System

No signs of abuse have surfaced

Hospitals, having patient details pilfered, reported stolen data: names, birth dates, phone numbers, medical records, and more. The FBI and state police were promptly informed.

Victims received notice this month with assurances and a 12-month identity monitoring offer via Kroll. No evidence of misuse emerged, according to the company’s communication.

Typically, ransomware groups demand payment for data and decryption key release. Surprisingly, no party has claimed responsibility in this case. If negotiations falter, leaked or sold data could fuel phishing attacks.

Stolen Data Categories
Full names
Birth dates
Phone numbers
Patient accounts and medical record numbers
Injury information
Treatment types
Procedure information
Social Security Numbers

More like this