Manchester Memorial Hospital is one of three hospitals owned by Prospect Medical Holdings in Connecticut. Yale New Haven Health has made a bid to buy the three facilities, but is still negotiating a price with Prospect. A certificate of need for the deal took 16 months to approve. Credit: Shahrzad Rasekh / CT Mirror

An additional 110,000 Connecticut residents had their personal data compromised during a six-week cyberattack of three Prospect Medical Holdings hospitals in the summer, according to a letter from their attorney to the state.

Initially, Prospect believed the data breach affected only 63 Connecticut patients, along with 24,000 employees.

In a two-page letter to the state attorney general’s office, attorneys representing the California-based hospital chain wrote that they have sent notifications by mail to 109,728 Connecticut residents, most of whom are patients.

For patients, the information varied, but included: patient names, addresses, dates of birth, diagnosis, lab results, medications, and other treatment information, health insurance information, provider/facility name, dates of treatment, and financial information,” attorney Sara Goldstein of the Philadelphia-based law firm BakerHostetler wrote.

“For individuals affiliated with Prospect Medical, including vendors, this information may have included their names and Social Security numbers,” Goldstein said.

Goldstein said Prospect Medical is offering vendors and employees whose Social Security numbers were involved two years of complimentary credit monitoring and identity protection services through a company called IDX. Prospect officials said a very small number” of vendors were among the 110,000 involved in the data breach. They did not provide an estimate of how many people working for vendor companies may have had their information stolen.

“On November 13, 2023, Prospect Medical began mailing letters to patients whose information may have been involved in the incident,” Prospect officials said in a statement. “For patients whose information may have been involved in the incident, Prospect Medical recommends reviewing the statements they receive from their health care providers and contacting the relevant provider immediately if they see services that they did not receive.

“Prospect Medical takes this incident very seriously and sincerely regret any concern this may cause. To help prevent something like this from happening again, Prospect Medical has implemented additional safeguards and technical security measures to further protect and monitor its systems.”

The company launched a toll-free “incident response line” to answer questions about the breach. People who may have had their information stolen can call 888-979-0012 Monday through Friday from 6 a.m. to 6 p.m. Pacific Time.

Prospect is required by state law to update the attorney general’s office periodically after a cyberattack occurs.

“The Office of the Attorney General’s Privacy Section is reviewing the supplemental notification just provided by Prospect as well as its information security practices,” spokeswoman Elizabeth Benton, spokeswoman for the attorney general’s office, said Wednesday.

The cyberattack occurred in early August and lasted nearly six weeks, crippling services at Manchester Memorial Hospital, Rockville General Hospital and Waterbury Hospital.

The cyberattack forced the hospitals to divert ambulances away from their emergency rooms, caused havoc with reading X-rays and electrocardiograms and crashed their payment system forcing them to seek a one-time $7 million upfront Medicaid payment from the state.

This is the fourth update that company has given the attorney general, although the last one was on Sept. 23.

At that time Prospect believed about 24,000 Connecticut residents may have had their data stolen although at that time the company believed most of them were current or former employees.

Prospect also told the attorney general’s office at the time 63 Connecticut residents who were patients at Prospect hospitals in California may have had their information breached, including patient names, health insurance and financial information. Of those breaches, 13 had Social Security numbers involved, according to the Attorney General’s office.

In an internal email to employees in September, Prospect said the investigation so far showed that an “unauthorized party gained access to our IT network between the dates of July 31 and August 3 … The unauthorized party accessed benefits administration files that contain information pertaining to current ECHN and Waterbury HEALTH employees and certain former employees.”

Prospect said its investigation of the cyberattack is still ongoing and the company has hired Kroll, a New York City based cybersecurity firm, to conduct it.

“The Office of the Attorney General’s Privacy Section is reviewing the supplemental notification just provided by Prospect as well as its information security practices,” Benton said.

Dave does in-depth investigative reporting for CT Mirror. His work focuses on government accountability including financial oversight, abuse of power, corruption, safety monitoring, and compliance with law. Before joining CT Mirror Altimari spent 23 years at the Hartford Courant breaking some of the state’s biggest, most impactful investigative stories.

Jenna is The Connecticut Mirror’s health reporter, focusing on access, affordability, equity, and disparities. Before joining the CT Mirror, she was a reporter at The Hartford Courant for 10 years, where she covered government in the capital city with a focus on corruption, theft of taxpayer funds, and ethical violations. Her work has prompted reforms on health care and government oversight, helped erase medical debt for Connecticut residents, and led to the indictments of developers in a major state project. She is the recipient of a National Press Foundation award for a four-part series she co-authored on gaps in Connecticut’s elder care system.