- Medusind begins notifying victims about a December 2023 data breach
- Incident resulted in 360,000 people losing payment and personal data
- The company is offering two years free identity theft monitoring
Medusind, a major medical billing firm, has confirmed suffering a cyberattack in which hundreds of thousands of people lost sensitive data, including payment information.
In a data breach notification letter, the company said the incident happened on December 29, 2023, and was spotted the same day. Since Medusind is a healthcare revenue cycle management company, it provides billing support to healthcare organizations, and it is patients from these healthcare firms who’ve had their data grabbed in this attack.
A detailed investigation into the attack uncovered that the threat actors stole health insurance and billing information (insurance policy numbers, or claims/benefits information), payment information (debit/credit card numbers, bank account information), health data (medical history, medical record number, prescription information), government ID information (Social Security numbers, taxpayer IDs, driver’s licenses, passport numbers), and other personal information (email addresses, phone numbers, birth dates, and more) – all of which could put victims at risk of identity theft or worse.
Hundreds of thousands of victims
In a separate filing with the Maine Office of the Attorney General, Medusind confirmed that exactly 360,934 people have been affected.
“The particular type of information involved depends on the individual,” it stressed in the letter.
There is currently no evidence of the data being abused in the wild, and Medusind is offering two years of free identity theft monitoring through Kroll. It also urged the victims to monitor their account statements for unexpected or strange entries which might signal identity theft, or fraud attempts, and to report them to the authorities.
Due to the sensitivity of the data they operate, and the high cost of recovery, healthcare organizations are among the most targeted ones for ransomware actors. In fact, recent analysis from Sophos found that the average cost to recover from a ransomware attack was $2.57 million in 2024, up from $2.2 million the previous year.