Personal information belonging to residents and employees of multiple assisted living facilities were potentially exposed in an April 2019 cyberattack that infected third-party software company Tenx Systems, LLC with ransomware.

The Minneapolis-based company, which operates under the name ResiDex Software and provides software to assisted-living homes, group facilities and care-giving organizations for seniors and the disabled, reported in a press release yesterday that an authorized party accessed its systems on April 2, 2019 and subsequently launched a ransomware assault on April 9.

Recovery from the ransomware itself was swift, according to the company. “ResiDex immediately undertook efforts to restore its servers to a new hosting provider,” the news release said. “Backups and other information maintained by ResiDex were used to enable near seamless restoration of security and services on the same day.  Additionally, ResiDex took affirmative steps to further safeguard its software systems.”

However, the same attacker who spread the ransomware may have also accessed the personal data and protected health information of prospective, former and current residents and staff members of the facilities using ResiDex. Exposed information includes medical records that existed on ResiDex’s software as of April 9, 2019, plus names and Social Security numbers.

ResiDex tasked a forensic investigations firm to look into the incident, but the firm “was unable to identify any specific individuals whose personal information and/or protected health information may have been compromised due to the complexity of the event and efforts undertaken by the perpetrators to conceal their actions,” explained the release, which was spotted and reported on by DataBreaches.net.

The release lists out several dozen facilities that use the software and possibly could have been affected.