The Loveland, Ohio-based provider recently faced a data breach impacting over 70,000 patients and employees.
What happened
On August 15th, Carespring filed a notice of a data breach with the Attorney General of Maine.
According to the notice, the organization faced a data breach that began on October 12th, 2023 and was discovered on July 16th, 2024. The breach impacted 76,719 individuals and lasted until October 30th, 2023.
Carespring Healthcare Management has provided care services including independent living, assisted living, nursing homes, rehabilitation care, and more since 1997. The organization operates 17 facilities in Cincinnati, Dayton, and Northern Kentucky.
Going deeper
In their letter to impacted patients, the organization said “a limited amount of information stored on our network may have been accessed and/or acquired by an unauthorized individual.”
Impacted information varied depending on the individual, but may have included names, addresses, dates of birth, Social Security numbers, medical information, health insurance information, and medical diagnosis information.
The company first suspected suspicious activity on October 28th, 2023, when the company experienced an IT issue affecting portions of its computer network. They then began an investigation that is still ongoing.
While it can be difficult to know what organization may have conducted the attack, SecurityWeek did find Carespring’s name on the dark web. Allegedly, the company’s name has appeared on the Tor-based leak site of several ransomware groups.
On November 10th, 2023, the ransomware organization Noescape listed Carespring on their website. Noescape, which first emerged in 2023 and has targeted the United States and Europe, provides Ransomware-as-a-Service. The group claimed to have 364GB of data from Carespring.
Carespring was also added to Hunters’ leak site and LockBit’s earlier this year.
It’s unclear if a ransom was demanded by any organizations, and Carespring has not commented on the issue.
What was said
Carespring’s notice read, “We are committed to maintaining the privacy of personal information in our possession and will continue to take many precautions to safeguard it. We continually evaluate and modify our practices to enhance the security and privacy of your personal information.”
The company does not believe the information has been used for fraudulent activity, but recommends employees and patients review their financial account statements. They are offering free identity and credit monitoring services.
The big picture
Ransomware attacks are increasingly common, and while it’s never advised for organizations to pay a ransom, some organizations may feel pressured to do so. Often, targeted companies feel they have to choose between paying a ransom or facing a class action lawsuit.
Currently, several legal firms are investigating the incident, but no class action suit has developed.
Related: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
