Anna Jaques Hospital ransomware breach exposed data of 300K patients
Anna Jaques Hospital has confirmed on its website that a ransomware attack it suffered almost precisely a year ago, on December 25, 2023, has exposed sensitive health data for over 310,000 patients.
Anna Jaques is a not-for-profit community hospital in Massachusetts, recognized for delivering high-quality care and performing over 4,700 surgeries yearly.
As a mid-size acute hospital providing 83 beds, 200 physicians, and 1,200 staff members, AJH plays a crucial role in Merrimack Valley, North Shore, and southern New Hampshire, providing essential healthcare services to the local population.
In 2023, at Christmas time, Anna Jaques learned that a cyberattack had impacted specific systems and took immediate action to contain the damage by taking them offline and alerting law enforcement.
The healthcare organization launched an investigation on January 24, 2024, a few days after the 'Money Message' ransomware group began publicly extorting the hospital on January 19.
The threat actors leaked data samples allegedly stolen from Anna Jaques on their dark web extortion site, threatening to expose sensitive patient information if their demands weren't met.
Subsequent updates on the Money Message page showed that the hospital's administrators didn't engage with the threat actors, and the situation culminated with the release of all data on January 26.

Anna Jaques states that the forensic investigation into what the threat actors had stolen was thorough and lengthy, involving manual document review, so it was only completed on November 5, 2024.
According to the related entry on the Office of the Maine Attorney General, where Anna Jaques posted a sample of the notification it sent to affected individuals yesterday, the incident has impacted 316,342 patients.
According to its results, the following information has been exposed:
- Demographic information
- Medical information
- Health insurance information
- Social Security number
- Driver's license number
- Financial information
- Other personal or health information provided to Anna Jacques
"Anna Jaques has no indication that there has been any fraud as a result of this incident," reads the announcement.
"However, out of an abundance of caution, commencing on December 5, 2024, Anna Jaques notified individuals whose information may have been impacted as a result of the incident to the extent Anna Jaques had their address."
"Additionally, Anna Jaques reminds its employees and patients to remain vigilant in reviewing financial account statements on a regular basis for any fraudulent activity."
Those impacted are offered 24-month-long identity protection and credit monitoring services through Experian and 1B and are urged to consider placing a fraud alert or security freeze on their credit file.
Ultralytics AI Library Compromised: Cryptocurrency Miner Found in PyPI Versions
QR codes bypass browser isolation for malicious C2 communication
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
LowStrict-Transport-Security Defined via META (Non-compliant with Spec)
InformationalVerification Request Identified
HighPII Disclosure
MediumHTTP Parameter Override
InformationalASP.NET ViewState Disclosure
MediumDirectory Browsing
MediumXSLT Injection
LowBig Redirect Detected (Potential Sensitive Information Leak)
Free online web security scanner