Comparitech reported today that Wayne Memorial Hospital in Jesup, GA over the weekend confirmed it notified 163,440 people of a May 2024 data breach that compromised SSNs, passwords, financial card numbers, medical history, diagnoses, prescriptions, lab results and images, health insurance, state-issued ID numbers, and more.
We will get back to the why did it take a year to notify these people about the breach part of this in a moment. Right now here’s a comment from Rebecca Moody, Head of Data Research at Comparitech:
“This is another worrying case where there has been a significant delay in notifying the majority of people involved in a data breach. Despite having initially notified 2,500 people of a breach in August 2024, it’s taken another year to confirm that over 163,000 people may have been impacted. Furthermore, even though Wayne Memorial Hospital added a data breach alert to its website in August 2024, according to Wayback Machine internet archive data, this had been removed by January 2025. So, unless patients were one of the first 2,500 people to receive a data breach notification letter or happened to view the alert on the hospital’s website from August to December 2024, it’s highly likely they were completely unaware of this breach until now.
While Wayne Memorial Hospital hasn’t confirmed whether or not a ransom was paid, the fact that the hospital was posted on Monti’s website suggests it wasn’t (for the data theft, at least). This means patients’ highly sensitive data has been posted on the dark web since the end of June 2024, leaving them exposed to identity theft and fraud.”
Erich Kron, Security Awareness Advocate at KnowBe4:
“A delay of over a year to notify people who have had their information stolen is unfortunate. Every day the information is in the hands of bad actors puts the victims at risk of not only identity theft, but also of scams and other social engineering tactics.
Information such as procedures, dates and insurance information, all stolen along with other data, allow bad actors to contrive stories that can be used to scam victims again, such as convincing the victim that they have outstanding debts related to the procedure, or similar ruses. Having a lot of detailed information can allow attackers to create detailed stories, and unless the victim is aware that the information is available to bad actors, can easily convince the victims of the validity of the scam.
Organizations that handle sensitive data need to ensure they are making every effort to secure it. Since human error is the top way that ransomware and other malware infect organizations, especially through email phishing, these organizations need to have a well-designed human risk management (HRM) program in place.”
The fact that it took a year before people were notified is unacceptable. This hospital really needs to be held to account for this. But I suspect that given the current political climate, that may not happen. But I am free to be surprised.
Like this:
Like Loading...
Related
This entry was posted on September 8, 2025 at 3:42 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Georgia hospital notified 160k people of year-old data breach that leaked SSNs and medical records
Comparitech reported today that Wayne Memorial Hospital in Jesup, GA over the weekend confirmed it notified 163,440 people of a May 2024 data breach that compromised SSNs, passwords, financial card numbers, medical history, diagnoses, prescriptions, lab results and images, health insurance, state-issued ID numbers, and more.
We will get back to the why did it take a year to notify these people about the breach part of this in a moment. Right now here’s a comment from Rebecca Moody, Head of Data Research at Comparitech:
“This is another worrying case where there has been a significant delay in notifying the majority of people involved in a data breach. Despite having initially notified 2,500 people of a breach in August 2024, it’s taken another year to confirm that over 163,000 people may have been impacted. Furthermore, even though Wayne Memorial Hospital added a data breach alert to its website in August 2024, according to Wayback Machine internet archive data, this had been removed by January 2025. So, unless patients were one of the first 2,500 people to receive a data breach notification letter or happened to view the alert on the hospital’s website from August to December 2024, it’s highly likely they were completely unaware of this breach until now.
While Wayne Memorial Hospital hasn’t confirmed whether or not a ransom was paid, the fact that the hospital was posted on Monti’s website suggests it wasn’t (for the data theft, at least). This means patients’ highly sensitive data has been posted on the dark web since the end of June 2024, leaving them exposed to identity theft and fraud.”
Erich Kron, Security Awareness Advocate at KnowBe4:
“A delay of over a year to notify people who have had their information stolen is unfortunate. Every day the information is in the hands of bad actors puts the victims at risk of not only identity theft, but also of scams and other social engineering tactics.
Information such as procedures, dates and insurance information, all stolen along with other data, allow bad actors to contrive stories that can be used to scam victims again, such as convincing the victim that they have outstanding debts related to the procedure, or similar ruses. Having a lot of detailed information can allow attackers to create detailed stories, and unless the victim is aware that the information is available to bad actors, can easily convince the victims of the validity of the scam.
Organizations that handle sensitive data need to ensure they are making every effort to secure it. Since human error is the top way that ransomware and other malware infect organizations, especially through email phishing, these organizations need to have a well-designed human risk management (HRM) program in place.”
The fact that it took a year before people were notified is unacceptable. This hospital really needs to be held to account for this. But I suspect that given the current political climate, that may not happen. But I am free to be surprised.
Share this:
Like this:
Related
This entry was posted on September 8, 2025 at 3:42 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.