Fresenius discloses breach affecting more than 500,000 patients and employees

In Data Breach News, Healthcare
December 07, 2023

On December 6,  Fresenius Medical Care AG  filed Form 6-K with the Securities and Exchange Commission. The filing disclosed a data breach:

On September 29, 2023, Cardiovascular Consultants, Ltd. (CVC), a subsidiary of Fresenius Medical Care AG (the Company) located in the United States (U.S.), became aware that some of its computer systems in the U.S. were affected by a security incident where an intruder claimed to have stolen data. CVC took immediate action to contain the incident and engaged a third-party forensic firm to assist in the investigation and response. The investigation has determined that specific systems were accessed and data were encrypted and stolen by the intruder. The security incident affected the electronic medical record and data warehouse containing information on current and former CVC patients and others. To date, we have identified the stolen data as having come from the data warehouse. The incident also impacted various applications and files that contained sensitive employee information. The incident may have affected approximately 500,000 patients, former patients, guarantors and 200 staff located across several states, U.S. territories and four countries. In response, we have engaged a consumer credit reporting agency to facilitate patient notifications, call center services and credit monitoring of the affected parties on our behalf. In addition, we are currently investigating the impact of this security incident on another subsidiary, Fresenius Vascular Care, Inc., located in the United States. This investigation is still ongoing.

Based on expenses incurred to date for the investigation and remedial action described above, together with forecasted additional expenses, the Company does not expect the incident to have a material impact on its financial condition or results of operations. However, the Company’s investigation and determination to report the incident also considered certain other factors, including CVC’s obligation to report the incident to regulatory bodies, possibly resulting agency investigations, potential future litigation and potential reputational damage.

DataBreaches.net reports that in October, the Qlin ransomware leak site claimed to have attacked Cardiovascular Consultants, Ltd. and dumped more than 205 GB of data. The data leak reportedly did not download.