Expert says Johns Hopkins University and Health System cyberattack sign of the times
BALTIMORE -- Members of the Johns Hopkins community were alerted to a cyberattack against Johns Hopkins University and Health System that happened on May 31.
A letter went out Wednesday notifying Johns Hopkins community employees, students and patients that the "widespread cybersecurity attack" may have put their personal information at risk. Johns Hopkins officials say the cyberattack did not impact patient medical records. The attackers targeted a "previously unknown vulnerability in the widely used software MOVEit," the letter said.
The Johns Hopkins network was impacted alongside "many other large organizations around the world," according to the letter.
"Johns Hopkins takes the privacy and security of our community members extremely seriously," the letter said. "Our cybersecurity team is working closely with data security experts and law enforcement to determine what information was involved. This investigation is ongoing, but our initial evaluation shows the attack may have impacted the information of Johns Hopkins employees, students, and/or patients."
Johns Hopkins community members put at risk because of the attack will receive updates as they become available and will be contacted personally if they were impacted by it, the letter said.
Two years of free credit monitoring services will be made available to all impacted individuals, according to the letter.
Johns Hopkins staff "took immediate action" to secure its systems and has been "working closely with a leading cybersecurity firm to investigate the attack," the letter said.
Cybersecurity expert Chris Webster of the University of Maryland Center for Health and Homeland Security says the dynamics around ransomware are changing, oftentimes involving a double extortion.
"Now, we're seeing a dual threat. Not only are they ransoming that data back to you. Now, they look to see if they can exploit that data in other ways," Webster said. "The line between state actors and individual actors has really gotten blurry. What we can say is a trend is they're getting more organized."
The letter urged community members to take immediate steps to protect their information as a precautionary measure. It included a short list of proactive actions:
- Monitor Your Accounts: Regularly review your bank statements, credit reports, and insurance statements for any unusual activity. If you notice anything suspicious, promptly report it to your financial institutions.
- Fraud Alerts and Credit Freezes: Consider placing fraud alerts or credit freezes with major credit bureaus. This will add an extra layer of security and make it harder for anyone to open new accounts using your information.
- Be Wary of Suspicious Emails or Communications: Stay vigilant against phishing attempts and suspicious emails or messages. Do not click on any links or provide information unless you are certain of the source's authenticity.
- Sign Up For Credit Monitoring Services: Johns Hopkins will be providing all impacted individuals with two years of complimentary credit monitoring. Instructions for activating the free services will be included in direct communications to impacted individuals.
A study from Johns Hopkins own business school found that the risk of hospital data breaches is greater at larger facilities and teaching hospitals.
Webster said it is critical for every organization to have a response plan in place.
"We've moved past a period of time where it's an 'if.' It's a 'will,'" Webster said. "If you're operating a system, you're going to be subject to cyberattack."
The Maryland Health Care Commission, in an October 2022 report, reports health care data breaches statewide have increased by more than 60 since 2018. Breached records surpassed 2.3 million during that time.