Major European healthcare network discloses security breach

AMEOS Group, an operator of a massive healthcare network in Central Europe, has announced it has suffered a security breach that may have exposed customer, employee, and partner information. The organization published a statement on its website, as required by Article 34 of the General Data Protection Regulation (GDPR), which mandates a public notice in the event of a data breach. AMEOS is a Zurich-based healthcare provider that employs 18,000 staff in over 100 hospitals, clinics, rehabilitation centers, and nursing homes located across Switzerland, Germany, and Austria. It is one of the largest private hospital groups in the broader DACH region, with over 10,000 beds and annual revenue exceeding $1.4 billion. AMEOS informs that, despite the "extensive security measures" in place, external actors gained unauthorized access to its IT systems and accessed sensitive information. "Data belonging to patients, employees, and partners—as well as contact information relating to you or your company—may have been affected due to unauthorized access," reads the announcement. "It cannot be ruled out that this data may be misused on the internet to the detriment of those affected or made accessible to third parties." In response, AMEOS has shut down all IT systems and terminated all external and internal network connections. Additionally, it reinforced existing measures and contracted external IT and forensic experts to aid with response efforts. The data protection authorities in the countries have been informed accordingly, and a criminal complaint was filed with the police. People who have received care at AMEOS facilities are advised to remain vigilant against phishing and scam attempts. To date, there are no signs that the accessed data has been disseminated online, stated the healthcare provider. The investigation is still underway, and AMEOS has promised to provide updates as new information becomes available. "Currently, we have no specific evidence of an actual leak of your individual personal data," states the organization. "You will be informed immediately upon completion of the ongoing review and investigation measures via this page." At the time of writing, no major ransomware groups have taken responsibility for the attack at AMEOS. The organization did not specify if the attack involved data encryption, so the type of incident and the perpetrators are unknown.