Shields Health Care Group hit by data breach, 2 million patients affected

Shields Health Care Group (Shields) suffered a data breach that compromised personal information of nearly 2,000,000 people in the United States after threat actors breached their IT systems and stole data.

According to a data breach notification published on the company's site, Shield became aware of the hacker attack on Mar. 28 and hired cybersecurity specialists to determine the scope of the incident:

The examination of log files showed that the hackers had access to Shields’ systems from Mar. 7 to Mar. 21 allowing them to potentially access data containing the following patient information:

Full name,
Social Security number,
Date of birth,
Home address,
Provider information,
Diagnosis,
Billing information,
Insurance number and information,
Medical record number,
Patient ID,
Other medical or treatment information.

The above information can be used for social engineering, phishing, scamming, and even extortion, depending on the case, and is generally considered extremely sensitive information.

Shields reported it has seen no evidence that any stolen information has been misused or disseminated on illegal channels. However, it might be too early for that data to be circulated publicly.

Typically, stolen information of this kind is bartered privately and used in small-scale, targeted attacks before it is resold to lower-tier threat actors who engage in bulk exploitation.

Australia-based trading company ACY Securities also exposed a massive trove of personal and financial data of unsuspected users and businesses online for public access.