The protected health information of up to 2 million individuals has potentially been compromised in a Shields Health Care Group cyberattack. Massachusetts-based Shields Health Care Group provides ambulatory surgical center management and medical imaging services throughout New England. On March 28, 2022, suspicious activity was detected within its network. Immediate action was taken to secure its network and prevent further unauthorized access, and third-party forensics specialists were engaged to assist with the investigation and determine the nature and scope of the security breach.
The forensic investigation determined that an unauthorized actor had access to certain Shields systems between March 7, 2022, to March 21, 2022. Shields said a security alert had been triggered on March 18, 2022, which was investigated, but at the time it did not appear that there had been a data breach. It has since been confirmed that during that period of access, certain data was removed from its systems. Shields said it has not been made aware of any cases of actual or attempted misuse of patient data.
A review of the files that were removed from its systems or may have been accessed by unauthorized individuals confirmed the following types of information were involved: Full name, Social Security number, date of birth, home address, provider information, diagnosis, billing information, insurance number and information, medical record number, patient ID, and other medical or treatment information. Shields is continuing to review the affected data and will issue notifications to affected individuals on behalf of all affected facility partners when that review has been completed.
When the attack was discovered, immediate action was taken to secure its network and data, certain systems have now been rebuilt, and additional safeguards have been implemented to better protect patient data. Cybersecurity measures will be reviewed and enhanced moving forward to ensure continued data security.
The HHS’ Office for Civil Rights Breach Portal has the breach listed as affecting 2,000,000 individuals. Shields said those individuals had received services at the following 56 facility partners:
Affected Facility Partners
- Cape Cod Imaging Services, LLC (a business associate to Falmouth Hospital Association, Inc)
- Cape Cod PET/CT Services, LLC
- Cape Cod Radiation Therapy Service, LLC
- Central Maine Medical Center
- Emerson Hospital
- Fall River/New Bedford Regional MRI Limited Partnership
- Falmouth Hospital Association, Inc.
- Franklin MRI Center, LLC
- Lahey Clinic MRI Services, LLC
- Massachusetts Bay MRI Limited Partnership
- Mercy Imaging, Inc.
- MRI/CT of Providence, LLC
- Newton Wellesley Orthopedic Associates, Inc.
- Newton-Wellesley Imaging, PC
- Newton-Wellesley MRI Limited Partnership
- Northern MASS MRI Services, Inc.
- NW Imaging Management Company, LLC (a business associate to Newton Wellesley Orthopedic Associates, Inc.)
- PET-CT Services by Tufts Medical Center and Shields, LLC
- Radiation Therapy of Southeastern Massachusetts, LLC
- Radiation Therapy of Winchester, LLC
- Shields and Sports Medicine Atlantic Imaging Management Co, LLC (a business associate SportsMedicine Atlantic Orthopaedics P.A.)
- Shields CT of Brockton, LLC
- Shields Healthcare of Cambridge, Inc.
- Shields Imaging at Anna Jaques Hospital, LLC
- Shields Imaging at University Hospital, LLC
- Shields Imaging at York Hospital, LLC
- Shields Imaging Management at Emerson Hospital, LLC (a business associate to Emerson Hospital)
- Shields Imaging of Eastern Mass, LLC
- Shields Imaging of Lowell General Hospital, LLC
- Shields Imaging of North Shore, LLC
- Shields Imaging of Portsmouth, LLC
- Shields Imaging with Central Maine Health, LLC (a business associate to Central Maine Medical Center)
- Shields Management Company, Inc.
- Shields MRI & Imaging Center of Cape Cod, LLC
- Shields MRI of Framingham, LLC
- Shields PET/CT at CMMC, LLC
- Shields PET_CT at Berkshire Medical Center, LLC
- Shields PET-CT at Cooley Dickinson Hospital, LLC
- Shields PET-CT at Emerson Hospital, LLC
- Shields Radiology Associates, PC
- Shields Signature Imaging, LLC
- Shields Sturdy PET-CT, LLC
- Shields-Tufts Medical Center Imaging Management, LLC (a business associate to Tufts Medical Center, Inc.)
- South Shore Regional MRI Limited Partnership
- South Suburban Oncology Center Limited Partnership
- Southeastern Massachusetts Regional MRI Limited Partnership
- SportsMedicine Atlantic Orthopaedics P.A.
- Tufts Medical Center, Inc.
- UMass Memorial HealthAlliance MRI Center, LLC
- UMass Memorial MRI – Marlborough, LLC
- UMass Memorial MRI & Imaging Center, LLC
- Winchester Hospital / Shields MRI, LLC