Onix Group, a commercial real estate company operating addiction recovery centers and medical facilities, has notified 319,500 patients and employees of a recent ransomware incident that compromised their personal and health information.
Furthermore, the ransomware attack, discovered on March 27, corrupted certain systems and involved the exfiltration of a subset of files. The affected information included patients’ names, Social Security numbers, birthdates, scheduling, billing, clinical information, as well as employee data such as names, Social Security numbers, direct deposit information, and health plan enrollment information. Onix is taking steps to enhance its security protocols and protect the information in its care.
At the same time, the unauthorized actor accessed Onix’s network between March 20 and March 27, according to the investigation into the ransomware incident. Onix’s healthcare division, with over 30 years of experience operating medical facilities, was impacted. The compromised files contained varying information for each individual, including patients’ medical care details at Onix facilities.
Additionally, employee information related to human resources, such as names, Social Security numbers, direct deposit information, and health plan enrollment details, was also compromised.
Onix’s healthcare-related entities affected by the incident include Addiction Recovery Systems centers, Cadia Healthcare centers, and Physician’s Mobile X-Ray units.
While the company has not disclosed further details about the ransomware attack, it is evident that real estate companies operating as business associates under HIPAA must demonstrate reasonable safeguards to protect patient information.
Finally, the incident reported by Onix is one of 295 major health data breaches reported to federal regulators in 2023, affecting over 37 million individuals. Business associates accounted for 113 of these breaches, affecting nearly 19.9 million individuals. The healthcare industry remains a target for capable adversaries, leading to disruptions, data exfiltration, and extortion.
Onix is committed to enhancing its system security and protocols to ensure the safeguarding of information and mitigate future risks.