Equinox, a US-based counselling and health services provider, has been hit with a cybersecurity breach that may have compromised the sensitive health information of clients and staff. On 15 November 2024, the company alerted affected individuals, including current and former clients and employees, about the potential exposure of their personal data.
The breach was first identified on 29 April 2024, following the detection of unusual activity within Equinox’s internal systems. In response, the company secured its systems and enlisted independent forensic specialists to conduct a thorough investigation. The investigation uncovered that an unauthorised party had accessed and potentially acquired files stored within the company’s infrastructure.
Extensive Equinox data breach
Equinox disclosed that the compromised information varied by individual but could include names, addresses, dates of birth, Social Security numbers, passport numbers, financial account details, driver’s licence or state identification numbers, as well as medical data such as diagnoses, treatment information, health insurance details, and medication-related records. However, the company stated that it has no evidence indicating the misuse of the compromised data.
The incident has been reported to multiple authorities, including the New York State Attorney General, the New York State Division of State Police, the New York State Department of State’s Division of Consumer Protection, and the Federal Office for Civil Rights. In response to the breach, Equinox announced the implementation of additional security measures designed to prevent similar occurrences in the future.
According to Equinox, affected individuals have been contacted through official notification letters detailing the breach and recommended actions to safeguard their personal and health information. “The letters include information about this incident and about steps that potentially impacted individuals can take to monitor and help protect their personal and protected health information,” the company stated.
Other US healthcare breaches in 2024
US healthcare organisations often find themselves targeted by cybercriminal gangs. In February, Change Healthcare suffered a ransomware attack that not only disrupted insurance claim submissions and processing nationwide, but also exposed the health insurance details, medical records, billing information, and personal identification numbers of over 100 million individuals. UnitedHealth Group, the parent company, acknowledged that the attack was facilitated by the use of stolen credentials and the absence of multi-factor authentication on a Citrix remote access service. The company paid a $22m ransom to regain control of its systems.
In May, Ascension Health, a non-profit Catholic health system operating in 19 US states, faced a cyberattack that disrupted operations in some of its 140 hospitals. The attack led to ambulance diversions, delayed medical tests, and the temporary shutdown of electronic patient records, necessitating a return to paper records. Ascension engaged Google’s Mandiant cybersecurity team to assist in the investigation and restoration of its systems.
In August, Planned Parenthood of Montana reported a data breach involving unauthorised access to its IT network. The compromised information included names, addresses, dates of birth, and medical data of patients. The organisation notified affected individuals and implemented additional security measures to prevent future incidents.
Read more: Cisco probes alleged data breach after hacker claims sale of information
