A digital attack on a Massachusetts-based health care organization may have compromised the personal information of as many as 2 million people, officials said.
Shields Health Care Group Inc., which provides imaging and ambulatory surgical services at dozens of locations, said in a notice on its website Tuesday that data including names, Social Security numbers, dates of birth, and medical or treatment details is among the information that may have been compromised.
The breach has been reported to federal law enforcement and the U.S. Department of Health and Human Services Office for Civil Rights. That agency reported on its website that 2 million people were affected. An FBI spokesperson said the agency had no comment.
Shields said it “was alerted to suspicious activity that may have involved data compromise” on March 28 and immediately started investigating.
“This investigation determined that an unknown actor gained access to certain Shields systems from March 7, 2022 to March 21, 2022,” the company said. “Furthermore, the investigation revealed that certain data was acquired by the unknown actor within that time frame.”
There is no evidence to indicate that any of the compromised information has been been used to commit identity theft or fraud, Shields said in a statement Wednesday.
“Shields takes the confidentiality, privacy, and security of information in our care seriously,” the website notice said. “Upon discovery, we took steps to secure our systems, including rebuilding certain systems, and conducted a thorough investigation to confirm the nature and scope of the activity and to determine who may be affected.”
The company’s review continues, and once it is complete, people directly affected will be notified, officials said.
Quincy-based Shields has about 40 locations, mostly in Massachusetts but also in New Hampshire and Maine.
Shields also included a list of dozens of facility partners that may have been affected, including Tufts Medical Center, Central Maine Medical Center and UMass Memorial.
FBI Director Christopher Wray this month told a Boston College cybersecurity conference that the agency had thwarted a planned attack on Boston Children’s Hospital that was to have been carried out by hackers sponsored by the Iranian government.
Health care is classified by the U.S. government as one of 16 critical infrastructure sectors, and health care providers are seen as ripe targets for hackers.