Personal data left vulnerable after Johns Hopkins University and Health System hit by ransomware hack

Baltimore’s Johns Hopkins University and Health System said its taking action after a hack by Russian cyber-extortion gang may have left sensitive information exposed.

In an email sent on Wednesday, members of the Johns Hopkins Community were informed about a May 31 data breach that exposed “the information of Johns Hopkins employees, students, and/or parents.”

It said the “widespread cybersecurity attack” targeting its systems was part of a “previously unknown vulnerability in the widely used software MOVEit.”

The attack against the university and health system was part of a larger one that “impacted many other large organizations around the world,” according to Johns Hopkins.

While Johns Hopkins said it is still working to assess the full impact of the attack, an “initial evaluation” showed the breach did not include electronic health records.

“We took immediate action to secure our systems and are working closely with cybersecurity experts and law enforcement to determine what information was compromised. The attack has had no negative impact on the operations of either Johns Hopkins University or the Johns Hopkins Health System,” according to a statement published on a dedicated website for those seeking more information.

Johns Hopkins suggested community members take the following steps, as a precautionary measure to protect their information:

  • Regularly review your bank statements, credit reports, and insurance statements for any unusual activity. If you notice anything suspicious, promptly report it to your financial institutions.
  • Consider placing fraud alerts or credit freezes with major credit bureaus. This will add an extra layer of security and make it harder for anyone to open new accounts using your information.
  • Stay vigilant against phishing attempts and suspicious emails or messages. Do not click on any links or provide information unless you are certain of the source’s authenticity.

John Hopkins said it will provide “all impacted individuals” with two years of complimentary credit monitoring.

The cyberattack came to light earlier this month when the Russian cyber-extortion gang Cl0p said its victims had until June 14 to get in touch to negotiate a ransom or risk having sensitive stolen data dumped online, according to The Associated Press.

The AP reported other data-theft victims include the BBC, British Airways and Nova Scotia’s government.

Matt Small

Matt joined WTOP News at the start of 2020, after contributing to Washington’s top news outlet as an Associated Press journalist for nearly 18 years.

Federal News Network Logo
Log in to your WTOP account for notifications and alerts customized for you.

Sign up