On November 4, 2023, reports began to emerge about a possible Summit Health data breach after the ransomware gang LockBit3.0 added Summit Health to its leak site. While Summit Health has yet to confirm that it was the target of a ransomware attack, LockBit3.0 gave the company until November 8, 2023, to satisfy the ransom demand before the group leaked the stolen data. If, upon completing its investigation, Summit Health determines that confidential patient data was leaked as a result of a ransomware attack, the company will be required to send out data breach notification letters to all individuals whose information was affected by the recent data security incident.

If you receive a data breach notification from Summit Health, it is essential you understand what is at risk and what you can do about it. Although there is no confirmation of a Summit Health data breach, ransomware groups rarely fabricate claims because it will hurt their credibility in the future. Thus, it appears likely that the group at least orchestrated an attack against Summit Health and potentially stole sensitive patient data. A data breach lawyer can help you learn more about how to protect yourself from becoming a victim of fraud or identity theft, as well as discuss your legal options following a possible Summit Health data breach. For more information, please see our recent piece on the topic here.

More Information on the Reported Summit Health Ransomware Attack

The Summit Health cyberattack was only recently announced by Lockbit3.0, and more information is expected in the near future. However, a recent news report from databreaches.net provides some important information on what led up to the breach. According to this source, on November 3, 2023, LockBit3.0 added Summit Health to its leak site as a victim. Ransomware groups typically maintain leak sites where they post companies they’ve targeted, often providing samples of the stolen data. However, in this case, LockBit3.0 did not provide any indication of what type of data it allegedly obtained.

LockBit3.0 also noted that Summit Health has until November 8, 2023, to pay the demanded ransom, or the group will publish all the stolen data.

As of November 6, 2023, Summit Health has not yet posted a notice on its website confirming the attack. However, neither has the company denied LockBit3.0’s claims.

In all likelihood, Summit Health is in the process of confirming the group’s claims. From there, Summit Health will need to determine how it will respond to the ransom demand. However, even if the company pays the ransom and prevents publication of the data, Summit Health will still need to review the leaked data to determine if it included confidential patient information. If so, Summit Health will be required to send out data breach letters to anyone who was affected by the recent incident. These letters should provide victims with a list of what information belonging to them was compromised.

More Information About Summit Health

Summit Health is a multi-specialty medical practice based out of Berkeley Heights, New Jersey. Summit Health came to be as a result of the 2019 merger between Summit Medical Group and CityMD. Summit Health operates over 370 locations in New Jersey, New York, Connecticut, Pennsylvania, and Central Oregon. Summit Health employs more than 8,000 people and generates approximately $1.2 billion in annual revenue.