Florida Department of Health Announces June 2024 Cyberattack

Regarding a cyberattack encountered in June 2024, the Florida Department of Health has begun sending notifications to individuals impacted by the incident. The breach, detected on June 26, 2024, involved the unauthorized access and theft of sensitive information including protected health information from selected systems.

A forensic investigation confirmed that the breach occurred on June 26, 2024. The stolen files were reviewed, revealing that compromised information included names, birth dates, addresses, banking data, credit card details, Social Security numbers, driver’s license numbers, military IDs, passport numbers, Nexus numbers, medical and dental records, medication details, medical provider information, insurance coverage details, insurance claim details, and passwords. The specific data involved varied for each person, and the notifications sent to individuals detailed the exact types of information affected.

Immediately after detecting the breach, the Department of Health took swift action by shutting down the affected systems and isolating servers. The incident was reported to law enforcement, and the Florida Department of Law Enforcement is conducting an investigation. In response to the attack, additional security measures were enforced to prevent future breaches.

The Florida Department of Health is offering potential victims of the cyberattack 12 months of free credit monitoring and identity theft protection services via Kroll. These services include fraud consultation, identity restoration, credit monitoring, online monitoring, and up to $1 million coverage for identity fraud loss reimbursement.

Those affected by the incident are instructed to stay alert for potential identity theft and fraud by monitoring their credit reports and financial account statements for suspicious activity. In case of any unauthorized transactions or suspect identity theft, they should contact their financial institution right away. Additionally, victims must be cautious of scams where attackers may pose as the Department or mention this incident to deceive individuals.

RansomHub, the ransomware group behind the attack, published 100GB of stolen files on its data leak site when the victim did not pay their ransom demand. The breach has been reported to the Department of Health and Human Services’ Office of Civil Rights (OCR), though it has not yet appeared on the OCR breach portal. The total number of individuals affected by the breach remains unknown.

In case of any query about this incident, individuals may contact the dedicated call center at 866-997-1602 set up by the Department Monday through Friday from 9 a.m. to 6:30 p.m. ET.

Auction of Stolen Data by Rhysida Threat Group

Franklin County in Kansas recently encountered a ransomware attack that resulted in the theft of the protected health information (PHI) saved on its system. The County discovered the attack on May 20, 2024, and engaged a digital forensics company to help secure its system and investigate the incident. Although the prompt action of the Department of Technology halted the encryption, the attack wasn’t discovered early enough to stop the data theft.

On May 19, 2024, it was confirmed by an investigation that the exfiltration of data included the PHI of people who received services from the County Adult Detention Center and the County Health Department. The investigation and review of documents are not yet finished, so it is uncertain at this time how many people were impacted.

The breach report submitted to the HHS’ Office for Civil Rights indicated that at least 501 people were impacted. This figure will be replaced with the actual number as soon as the investigation and document evaluation are completed. Franklin County officers have stated that the breached information includes names, addresses, birth dates, Social Security numbers, medical record numbers, vaccination data, dates of service, diagnosis data, treatment details, medication data, medical insurance ID numbers, and/or other medical insurance details.

Franklin County is utilizing dark web monitoring apps to determine if any of the stolen information was published and when its substitute breach notice was published. No information was posted or made available for sale. The situation is different after that. The Rhysida ransomware group has professed to have been behind the attack and claimed to have stolen 6.5 TB of data files. A week ago, the Rhysida ransomware group added Franklin County to its data leak site and claimed that the stolen information consisted of databases, usernames and passwords of employees and information from all servers related to emergency service apps.

Although a lot of ransomware groups expose stolen information on their data leak sites when no ransom payment is given, Rhysida is known for auctioning off the stolen information. For instance, the cyberattack on Lurie Children’s Hospital in Chicago last January 2024 was conducted by Rhysida. The stolen data from that incident was sold for $3.4 million. As per Rhysida, there will be a 7-day auction and the group will sell the data for a minimum of 30 Bitcoin or $1.9 million.

Franklin County is providing free credit monitoring services to all personnel of the city of Columbus, Municipal Court judges, and Municipal Court Clerk personnel of Franklin County. The County has implemented extra security monitoring software to improve discovery and response, toughened system access controls, removed all inactive user accounts, and applied supplemental technical security procedures, such as upgrading its firewall defenses.

RansomHub Group Attacks Florida Department of Health Data

The Florida Department of Health told FOX 35 in Orlando about its investigation of a cyberattack that impacted its Vital Statistics System, which the department uses for processing birth and death certificates. The system disruption has caused difficulties for funeral homes throughout the state for a few weeks. Some funeral homes delayed their services or were compelled to physically go to healthcare companies to obtain signed printed copies of death certificates.

The Department of Health revealed little information concerning the attack although this looks like a ransomware attack with the extraction of a large amount of data files, which potentially includes PHI. The RansomHub group professed to be responsible for the cyberattack and stated it had stolen from the Department about 100 gigabytes of data and began leaking the stolen information because no ransom was paid on or before the set deadline, which is July 1, 2024. The Department of Health did not comment to verify the group’s statements nor the scope of any security breach.

The inability to pay the ransom demand is expected as Florida revised its State Cybersecurity Act to forbid state institutions, counties, and cities that encounter a ransomware attack to pay or follow a ransom demand. The prohibition on ransom payments became effective on July 1, 2022.

There is no need to question the authenticity of the hacking group’s claims of data theft. RansomHub has done a lot of attacks in the U.S.A., which include attacks on healthcare companies and federal departments. The group was likewise indirectly mixed up in the ransomware attack on Change Healthcare in February, having gotten the stolen data during the attack by a BlackCat ransomware group affiliate. Then BlackCat committed an exit fraud, getting the $22 million ransom without paying the affiliate’s share of the ransom collected.

Cyberattack on Change Healthcare Threatens Large Segment of US Population

Chief Executive of UnitedHealth Group (UHG) Andrew Witty made a statement about paying a ransom to stop the leakage of information stolen during the Change Healthcare cyberattack. Although the amount of the ransom payment was not mentioned, it is reported that UHG paid the Blackcat ransomware group a $22 million ransom payment. The information was not deleted and one more ransomware group, RansomHub, acquired the data and attempted to demand a ransom payment from UHG and Change Healthcare. RansomHub exposed screenshots of the stolen information when no payment was forthcoming.

UHG released a statement that according to the preliminary investigation results, protected health information (PHI) and/or personally identifiable information (PII) was exposed during the attack. Information of the specific types of information involved was not confirmed, though UHG stated it did not find any proof of extraction of doctors’ charts and complete medical backgrounds. UHG had not confirmed the number of individuals impacted by the breach. However, a significant percentage of the American people will likely be impacted. Change Healthcare mentions on its website that the data of 33% of Americans is handled by its systems, meaning it may be the biggest ever healthcare data breach, possibly affecting the PHI of over 100 million people in America.

There is no clear date yet when notifications will be released. It is about 60 days since February 21, 2024, when the cyberattack was discovered. The breach of PHI was only confirmed on April 15, 2024. Analysis of the impacted data is in progress to know the number of people and the types of data breached. Considering the nature and intricacy of the data analysis, it will probably take a few months of extended analysis before it will be possible to determine and inform affected customers. While analyzing the data affected in this cyberattack, support and protections were provided now instead of waiting until the data review concludes. A focused website was built with further information.

There are updates on the recovery of services of Change Healthcare. UHG’s pharmacy and medical claims services in all health systems are restored to almost 100% levels, but a few providers are still negatively impacted. Payment processing is roughly 86% of pre-attack levels, and about 80% of Change Healthcare’s operations are restored. The rest of the services will be restored in a few weeks.

UHG has not disclosed information on the nature of the breach yet; but The Wall Street Journal mentioned that hackers acquired access to the systems of Change Healthcare 9 days before the deployment of ransomware on February 21, 2024. Based on the WSJ source, breached credentials were employed for systems access. Multifactor authentication was not activated on the breached account, and lateral movement happened between February 12 and February 24, allowing the attackers to access substantial amounts of data.

HHS Webpage with HIPAA FAQs Regarding the Change Healthcare Cyberattack

The HHS’ Office for Civil Rights built a webpage to respond to commonly asked questions concerning the relation of the Health Insurance Portability and Accountability Act (HIPAA) to the Change Healthcare ransomware attack. The webpage clarifies the reason for OCR’s ‘Dear Colleague’ letter regarding the cyberattack and the quick launching of an investigation of Change Healthcare and UnitedHealth Group (UHG) to determine if they were HIPAA Rules compliant. OCR took quick action because of the extensive impact of the cyberattack on healthcare companies and patients and the unparalleled effect on patient care and personal privacy. Concerning other HIPAA-covered entities with business relationships with Change Healthcare, OCR reminded them to ensure they have business associate agreements set up and told them of their duty to safeguard PHI.

OCR stated that it has not received any notice from Change Healthcare regarding any PHI breach and reminded that covered entities have 60 days from when a data breach is discovered to report an unsecured PHI breach. OCR mentioned covered entities impacted by the cyberattack on Change Healthcare must send breach notifications to the impacted persons and alert the HHS Secretary. The notifications must be sent without unreasonable delay and before the 60 days from discovering the breach are over. A notification must also be given to the media. When a business associate encounters a data breach they should inform the covered entity in 60 days. The business associate must inform the covered entity about the breach and the impacted individuals. The covered entity is accountable for providing breach notifications if breaches happen to business associates, though they may assign the business associate to do the task.

HIPAA-covered entities that were impacted by the Change Healthcare cyberattack must get in touch with Change Healthcare/UHG in case they have any concerns regarding breach notifications and to know whether Change Healthcare and UHG can send the breach notifications on behalf of the impacted companies and the way breach notification will be sent. UHG said that it is eager to help the impacted entities send breach notices for them.

Nebraska Hospitals Targeted by Scammers

Bryan Health has published an advisory after being informed by some patients that they were called by individuals posturing as representatives of hospitals in Nebraska telling them they could file a refund associated with the Change Healthcare cyberattack. The scammers required a credit card number to get the refund. Bryan Health stated that its staff will never call over the phone to ask for a credit card number to start a refund. President Jeremy Nordquist of the Nebraska Hospital Association (NHA) stated that Nebraskans must be cautious. When suspicious of the nature of a call, say goodbye and contact your hospital directly. All Americans are warned about the likely increase of scams associated with the Change Healthcare cyberattack.

More Ransomware Attacks With More Active Ransomware Groups in Q1 of 2024

GuidePoint Security’s Research and Intelligence Team (GRIT) investigated ransomware activity and discovered 55% more year-over-year active ransomware groups and 20% more victims of ransomware attacks (1,024) than in Q1 of 2023.

As per Guidepoint Security’s Q1 2024 Ransomware Report, the sectors most affected by ransomware attacks were retail and wholesale, manufacturing, and healthcare. Although posted victims from February to March increased by 7.4%, attacks on healthcare organizations dropped from 32 in February to 20 in March. Law firms also had the same reduction in attacks, which decreased from 20 in February to 10 in March. In Q1 of 2024, over 50% of all victims or 537 attacks were conducted in the United States, which is a first-time occurrence since Q2 of 2023. The United Kingdom was the second most attacked country with 60 attacks.

GRIT found 29 specific, active ransomware groups in Q1 of 2023 and 45 groups in Q1 of 2024. LockBit was the most active ransomware group in Q1 of 2024. Although the LockBit ransomware group encountered law enforcement disruption in February 2024, LockBit stayed active with 219 victims in the quarter, but less than its typical number of attacks. Before the law enforcement operation on February 20, 2024, LockBit conducted an average of 3 attacks per day. From February 24 to March 31, the group only conducted 2 attacks per day on average. The group currently seems to be back in full operation, having 97 victims in March alone. Blackbasta was the second most active group that held 73 attacks in Q1 of 2024, higher by 151% compared to the last quarter. Next was Play which conducted 71 attacks, lower by 37% compared to Q4 of 2023. Although the Qilin ransomware-as-a-service group performed only 44 attacks in 2023, it is more active in 2024 with 34 victims already in the Q1 of 2024.

Law enforcement has been significantly more active against ransomware groups in recent months. Despite the attempted shutdown by the Operation Cronos Task Force, LockBit survived and only suffered several days of serious disruption, although it conducted fewer ransomware attacks in the following weeks. At the end of December, law enforcement took action against the ALPHV/Blackcat ransomware group, which was the next most active ransomware group in 2023. The group removed all limits for affiliates and actively prompted attacks on healthcare companies including the attack on Change Healthcare, which resulted in a HIPAA compliance investigation. After the Change Healthcare attack, the group planned an exit scam by pocketing all the ransom payments and stopped its operation.

Despite the shutdown of LockBit and ALPHV, reported victims in the quarter still increased by 19.2% with at least 50 victims listed on the data leak sites per week and a maximum of 125 victims listed for a week in March. GRIT discovered efforts by a few ransomware groups to get new affiliates in Quarter 1, which include the Cloak, Medusa, and RansomHub groups. The ads for their RaaS operations were posted on deep and dark web forums last January and February 2024. The RansomHub activity seemed to have increased in the following weeks. These three ransomware groups, Killsec, Redransomware, and Donex, are the new ones that appeared in quarter 1 of 2024. Although these groups just performed 22 attacks in March, activity is expected to go up. Attacks dropped from 1,117 in the last quarter of 2023 to 1,024 in the first quarter of 2024. The shutdown of the ALPHV operation may also cause a decline in attacks in Q2. Nevertheless, the affiliates who were with ALPHV will likely find other ransomware operations, so the activity of other groups will likely increase to make up for the difference.

FTC Forbids Data Broker from Promoting Sensitive Location Information

The Federal Trade Commission (FTC) reached its first settlement with a data broker concerning the selling of accurate geolocation data of customers. As per the conditions of the settlement, X-Mode Social cannot sell or share sensitive location information to third parties except if it acquires permission from consumers or de-identifies the information.

X-Mode Social, now Outlogic LLC, based in Virginia works with app creators. It offers a software development kit (SDK) that could be built into smartphone applications that enable the collection of data through the apps, which includes accurate geolocation information. Precise geolocation data could determine where a person resides and works, the homes of friends and loved ones, and other places they go to. Some of those places may be very sensitive, for example, places of worship, centers of domestic violence, areas providing services to the LGBTQIA+ community, addiction treatment centers, and reproductive health establishments. When precise geolocation information is gathered that verifies consumers’ visits to sensitive places for instance reproductive health centers and places of worship, they can experience physical violence, discrimination, emotional stress, and other harms. Sen Ron Wyden decided that X-Mode had offered sensitive location information to U.S. military companies in 2020, and another client, a private clinical research firm, paid X-Mode to get access to client data that included visits to healthcare facilities, pharmacies, and specialty infusion centers across Columbus, Ohio, based on the FTC complaint.

FTC Claims X-Mode Social Involved in Illegal and Deceitful Practices

The FTC investigated whether the data broker committed unfair or deceitful works or practices. The FTC claimed that X-Mode marketed raw information to third parties without removing sensitive locations. X-Mode is additionally purported to have not implemented acceptable and proper safety measures against downstream usage of that information. Besides buying geolocation information from third-party applications, X-Mode likewise has its own applications – Walk Against Humanity and Drunk Mode. The FTC claims app users were not completely informed regarding the usage of the precise geolocation data.

As per FTC, X-Mode didn’t have guidelines and procedures to delete sensitive locations from its raw information prior to selling it, and its own app users weren’t advised regarding who would get their information, and safety measures were not set up to make sure that they could fulfill requests by users to choose not to be tracked and served personalized ads. The FTC claimed these failures were violations of the FTC Act section 5.

“With this activity, the commission rejects the idea so common in the data broker market that vaguely written disclosures can give a firm free license to utilize or peddle people’s sensitive location information,” stated FTC chair Lina M. Khan.

FTC Complaint Settled

As per the conditions of the settlement, Outlogic and X-Mode must carry out a program for keeping a complete list of sensitive locations, and that data can’t be disclosed, sold, or transmitted except if permission is acquired from consumers. Outlogic and X-Mode are likewise forbidden from utilizing location information when they do not know if a consumer has given permission.

Outlogic and X-Mode should create a supplier program to make sure that all organizations it buys data from are acquiring permission from customers for the collection, selling, and usage of information, and all precise geolocation data that signifies visits to sensitive areas that has been gathered without permission should be removed or destroyed, except if the information has been de-identified.

X-Mode and Outlogic must also carry out procedures to make sure that recipients of its location information don’t connect the information to locations that offer services to LGBTQ+ individuals, for example, bars or service companies, with areas of public gatherings of people at political or social demos or protests, or utilize location data to figure out the identity or location of a particular person.

Customers should also be given a basic and quick-to-find way of pulling out their permission to gather and utilize their location information and ask which data to be removed, and also give a clear and exact means for consumers to ask that any firms or people who were given personal information to delete location data from business databases.

Outlogic’s PR company stated to answer the FTC complaint and settlement. The company disagrees with the FTC press release. The FTC did not find any instance of data misuse and there was no such allegation. From its inception, X-Mode has enforced strict contractual conditions on all data clients forbidding them from connecting its data with sensitive places for example healthcare centers. Following the FTC’s newly released guidelines will be made certain by applying extra technical procedures and won’t demand any substantial changes to the company or products.

The settlement is going to be published in the Federal Register and feedback will be received for 30 days, then the FTC will decide whether to finalize the proposed consent order or not.

Retina Group of Washington, Pan-American Life Insurance Group, Bellin Health, and Clay County, Minnesota Encounter Cyberattack

456,000 Patients Affected by Retina Group of Washington Data Breach

About 456,000 people were impacted by the data breach on Retina Group of Washington and have begun getting notification letters, 9 months after the occurrence of the breach.

On December 22, 2023, Retina Group of Washington, PLLC, submitted a breach report to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) indicating that the protected health information (PHI) of 455,935 people were affected. On the same day, the group began mailing notification letters.

The notification letters mentioned that on March 26, 2023, Retina Group of Washington began having problems accessing data on parts of its systems. After doing some investigation, the group notified the Federal Bureau of Investigation (FBI). It was confirmed that the problem in accessing files was because of a cyberattack.

There was no mention of the cause of the cyberattack, but the wording that Retina Group of Washington used in the notification letters suggests a ransomware attack. The investigation into the cyberattack is not yet over, however, the theft of patient data in the attack has been confirmed.

The types of data stolen include names, addresses, phone numbers, birth dates, email addresses, demographic data, driver’s license numbers, Social Security numbers, medical record numbers, medical data, payment details, and medical insurance data.

Retina Group of Washington stated there was no attempted or actual patient data misuse identified. Additional security procedures will be implemented to reinforce systems security.

According to the breach notifications, no credit monitoring and identity theft protection services are being provided. Impacted patients were advised to stay cautious against incidents of identity theft and fraud, to check their explanation of benefits and account statements, and to watch out for suspicious activity in their free credit reports and to identify issues. Retina Group of Washington likewise recommends putting their accounts on a credit freeze.

105,000-Record Data Breach at Pan-American Life Insurance Group

Pan-American Life Insurance Group, Inc. (PALIG) recently reported an attack by the Clop hacking group, which took advantage of a zero-day vulnerability found in the MOVEit Transfer file transfer solution of Progress Software at the end of May 2023.

Progress Software informed PALIG concerning the vulnerability and instantly deactivated the software until it applied the patch. The patch was implemented, and steps were undertaken to enhance systems security. Concurrently, PALIG started an investigation to find out if the vulnerability was exploited, and that turned out to be the situation. On October 5, 2023, PALIG confirmed the theft of files from the MOVEit server. The stolen files contained the PHI of 105,387 people, such as names, addresses, birth dates, driver’s license numbers, Social Security numbers, contact data, subscriber numbers, medical and medical benefits details, some biometric information, and credit card and financial account details.

PALIG has already informed the affected people and has provided free credit monitoring services. PALIG also took steps to further strengthen security and make sure that third-party transfer tools are secure.

Bellin Health Informs Patients Concerning the October Cyberattack

Bellin Health recently reported unauthorized access by a third party to its internal systems. Some data of patients who bought home care equipment from 2006 to 2013 may have been accessed or stolen. On October 27, 2023, unauthorized activity was discovered in its computer systems. Its IT security staff promptly took action to control the activity and started an investigation to find out the nature and extent of the unauthorized incident.

Third-party cybersecurity specialists of Bellin Health confirmed that a cyber actor acquired access to a folder that contains archived scanned files that included patient names along with at least one of these data: address, telephone number, birth date, and/or medical data associated with home care devices. A small number of files likewise included Social Security numbers.

Bellin Health stated it has toughened system security and will proceed with the investigation of cybersecurity. The breach report was submitted to the HHS’ Office for Civil Rights as impacting 20,790 people. Patients who had their Social Security numbers compromised were provided free credit monitoring and identity theft protection services.

Ransomware Attack on Clay County, Minnesota

Clay County based in Minnesota reported on December 22, 2023 a ransomware attack that happened in October. On October 27, 2023, the unauthorized activity was discovered in its electronic document management system. Based on the forensic investigation, there was unauthorized access from October 23, 2023 to October 26, 2023, and ransomware was employed for file encryption.

The investigation affirmed that access was acquired to names along with at least one of these data: address, birth date, Social Security number, data about services offered by Clay County Social Services (service location, dates of service, client ID number or unique identifier), insurance ID number, and insurance or billing data.

Clay County officers mentioned it had taken action to enhance security, such as using multifactor authentication for remote access to the breached CaseWorks app, changing processes for vendors getting external access, implementing tools to improve recognition and speed up the response to cyber occurrences, and applying improved technical security procedures for the CaseWorks app.

The HHS’ Office for Civil Rights breach portal has not shown the incident report yet. The number of people affected by the breach is still unclear.

Cyberattacks Reports Involving the State of Maine, Greater Rochester Independent Practice Association, Tri-City Medical Center, and Crystal Run Healthcare

MOVEit Hack Impacts 1.3 M Individuals According to the State of Maine

The state of Maine has reported that it was impacted by the massive hacking of the MOVEit file transfer tool Progress Software. The state found out about the vulnerability on May 31, 2023 and fixed the vulnerability as soon as Progress Software released a patch; nevertheless, the Clop hacking group already exploited the vulnerability and downloaded files that contained sensitive information from May 28, 2023 to May 29, 2023.

The files included the sensitive information of state residents, workers, and those who obtained services from state organizations. 10% to 30% of employees worked at the Department of Education and over fifty percent worked at the state Department of Health and Human Services. The compromised data included names, birth dates, driver’s license numbers, health data, and Social Security numbers.

Based on the notice submitted to the Maine Attorney General, the information of 1,324,118 persons was affected, including 534,194 Maine residents. Notification letters are currently being sent and free credit monitoring services were provided to those whose Social Security numbers were compromised or stolen.

MOVEit Hacks Affect Greater Rochester Independent Practice Association

Greater Rochester Independent Practice Association (GRIPA) located in New York was likewise impacted by the MOVEit hacks. GRIPA mentioned it discovered the breach on May 31, 2023 because Progress Software provided the patch. Its forensic investigation affirmed on June 5, 2023 the exfiltration of files from its MOVEit server that contained patients’ protected health information (PHI). A third-party vendor analyzed the files, which was finished on September 1, 2023.

GRIPA stated that medical data were not exposed and the affected information was minimal. Impacted persons received information about which information was impacted in their notification letters. The breached data contained info including the name of their physician, date of last consultation, and prescription data. In case Social Security numbers were compromised, impacted persons can subscribe to free credit monitoring services.

The breach report was submitted to the HHS’ Office for Civil Rights indicating that about 79,156 persons were affected.

Cyberattack on Tri-City Medical Center

Tri-City Medical Center based in Oceanside, CA, is presently addressing a cyberattack that has compelled it to take selected systems off the internet. On November 9, 2023, the hospital was directing ambulances to different hospitals as a safety measure, though the medical center stated it is ready to handle emergency cases that might turn up in private cars and that it is working together with other healthcare companies locally to make sure that healthcare services are given.

A forensic investigation has been started to find out the nature and extent of the attack and whether there was theft of sensitive information. More details will be published as the investigation moves along.

Potential Cyberattack on Optum Medical Group’s Crystal Run Healthcare

Crystal Run Healthcare located in Middletown, NY, which was bought by Optum Medical Group, reports it is encountering system problems that are affecting a number of its services, causing longer than normal wait times. The problem began on or about November 3, 2023, and since November 10, 2023, the healthcare company has not yet resolved the issues. The reason for the disruption was not mentioned in the notice, however, it is assumed that it involved a cyberattack.

Butler County Reports October Cyberattack

Butler County based in Pennsylvania has reported that it has encountered a data security breach. The attack was discovered at the beginning of October, and by the end of November, it was verified that the individual behind the attack had acquired access to personally identifiable information (PII), primarily associated with criminal court proceedings. The analysis of the impacted information is in progress and, at this time of the investigation, there is no confirmation yet regarding the exact data that was stolen and how many people were impacted.

Notification letters shall be sent to the impacted persons when the analysis is over and county officials stated it will offer credit monitoring services. This is the county’s second security breach. In September, the account of a jail employee was accessed compromising PII.

Northern Iowa Therapy Reports Scope of Security Incident in March 2023

Northern Iowa Therapy (NIT) based in Waverly, IA recently reported the exposure of the data of 5,100 patients. The privacy breach was initially discovered on March 10, 2023, because NIT found a small number of patient data in an account not affiliated with NIT. Third-party forensic specialists investigated the incident. On June 21, 2023, NIT first reported the security incident and performed an evaluation of the documents affected. On October 4, 2023, exposure of patient data was confirmed. Contact data was then verified, and notification letters were dispatched on October 27, 2023.

The compromised data differed from person to person and might have contained names, addresses, birth dates, email addresses, telephone numbers, medical data, Medicare IDs, mental/physical condition, driver’s license numbers, Social Security numbers, diagnoses, treatment data, dates of service, billing & claims data, patient account numbers, and medical insurance details.

NIT stated it constantly examines and changes its security procedures to improve the privacy and security of stored personal data and will keep on doing so.

West Central District Health Department Informs Patients Regarding May 2023 Cyberattack

The West Central District Health Department (WDCHD) located in Nebraska has reported unauthorized access to its system and the exposure of patient data. The forensic investigation affirmed that particular sections of its system were accessed from May 18, 2023 to May 23, 2023, and the analysis of the impacted files was done on September 18, 2023.

In its November 13, 2023, breach announcement, WDCHD reported the exposure of information including names along with at least one of the following: driver’s license number, Social Security number, state identification number, and/or financial account number. Free credit monitoring and identity theft protection services were provided to the impacted persons.

The incident is not yet showing up on the HHS’ Office for Civil Rights breach portal, thus the number of affected individuals is still uncertain.

47% Increase in Ransomware Attacks and Data Breaches Reported by Mount Desert Island Hospital and Pharm-Pacc Corporation

Ransomware Groups are Attacking Small Businesses More and More

A new Trend Micro report reveals ransomware attacks have grown by 47% since the second half of 2022. Although the most respected ransowmare-as-a-service operations still attack big companies, most attacks were on small companies with weaker defenses.

In the first half of 2023, the most active ransomware gangs were Clop, LockBit, and BlackCat. LockBit is responsible for 1 in 6 ransomware attacks conducted on government institutions in the first half of 2023. Trend Micro has monitored 522 attacks (26.09% of all attacks) using LockBit ransomware; 212 attacks (10.59%) using BlackCat ransomware and 202 attacks (10.09%) using Clop ransomware. Although there were reports about 202 Clop ransomware attacks in the first half of 2023, Trend Micro mentioned it did not see any attempted attacks by the Clop ransomware group on its clients in the first 6 months of 2023.

Clop was responsible for two mass attacks in the first 6 months of 2023. One exploited the vulnerability in Fortra’s GoAnywhere file transfer solution in January, and another one exploited a zero-day vulnerability in the MOVEit Transfer file transfer solution of Progress Software at the end of May. In the second attack, about 1,203 companies around the world suffered data theft.

Although the BlackCat and LockBit groups both carried out several high-profile attacks in the first half of 2023, which include attacks on Ion Group, Royal Mail, and Taiwan Semiconductor Manufacturing firm by LockBit affiliates, and attacks on Reddit and NextGen Healthcare by BlackCat actors, these ransomware groups are more and more attacking small companies. In the first half of 2023, small businesses had been the victims of 44.8% of attacks by Blackcat and 57.3% of attacks by LockBit. Clop still favors attacks on big companies, which accounted for 50% of its attacks, while 27.2% of Clop attacks are on small companies.

The overall growth in ransomware attacks on small companies is ascribed, partly, to a dispersing ransomware groups, aided by the exposure of the source code of Conti and LockBit ransomware, which permitted cybercriminals to make their ransomware variants for their attacks. Trend Micro discovered 45 active RaaS and RaaS-associated groups in the first half of 2023, which is 6 more than in the second half of 2022 (an 11.3% increase).

According to ransomware file discoveries each month, the most frequently attacked industries in the first half of 2023 were banking (1,812 attacks), retail (733 attacks), and transportation (859 attacks), with nearly half of the attacks on U.S. companies. Worldwide, the number of ransomware attack victims went up by 45.27% from the second half of 2022. Ransomware attacks have gone up as well as extortion-only attacks. New groups seem to be doing data theft and extortion only with no file encryption.

To deal with ransomware attacks, Trend Micro advises activating multifactor authentication, backing up information regularly using the 3-2-1 rule, making sure to apply patches promptly, validating emails before opening them, adhering to established security setup, and using solutions that have network detection and response (NDR) functions.

Snatch Ransomware Group Attacks Mount Desert Island Hospital

Mount Desert Island Hospital, Inc. (MDIH) located in Bay Harbor, ME, sent an additional data breach notice to the Maine Attorney General regarding a data security breach initially reported on July 17, 2023. The hospital detected suspicious activity inside its system on May 7, 2023. Based on the forensic investigation, an unauthorized third party acquired access to its system from April 28, 2023, to May 7, 2023. MDIH stated it had begun an analysis of the files on the breached sections of its system and has now affirmed that they included the personal data and protected health information (PHI) of 32,661 persons, which include 26,046 residents of Maine.

The compromised data contained employee information: names along with at least one of these data elements: birth date, driver’s license/state ID number, financial account data, and Social Security number. Patient information was likewise compromised: name, address, birth date, Social Security number, driver’s license/state ID number, financial account details, Medicare or Medicaid ID number, medical record number, mental or physical treatment/condition details, diagnosis code/data, date of service, date of admission/discharge, prescription details, billing/claims data, name of personal representative or guardian, and medical insurance data.

Impacted persons started receiving notification letters on June 5, 2023, and were provided free credit monitoring and identity theft protection services. There is no additional information about the actual nature of the attack given on the substitute breach notification on the web page of MDIH or in the Attorney General notifications; nevertheless, this seems to be a ransomware attack using the Snatch ransomware.

The Snatch ransomware gang claims to have been responsible for the theft of 266 GB of data in the cyberattack and has posted the complete data on its leak website. One 89 GB data file is shown to have 416 downloads and a 177 GB data file has 390 downloads. Therefore, all persons informed concerning the attack must make sure that they subscribe to the free credit monitoring and identity theft protection services.

Exposed PHI of 3,749 Individuals Reported by Pharm-Pacc Corporation

Pharm-Pacc Corporation based in Coral Gables, FL, a managed recovery services provider to hospitals, has encountered a data security breach. The provider detected suspicious activity in its IT environment on March 24, 2023, and right after making its systems secure, carried out a forensic investigation that affirmed on May 23, 2023, that an unauthorized third party viewed its systems with no authorization. On June 14, 2023, Pharm-Pacc reported that one of the systems that was viewed included the PHI of patients.

The breached data included names, birth dates, medical record numbers, patient account numbers, service dates, addresses, medical device identifiers, driver’s license numbers, taxpayer ID numbers, phone numbers, email addresses, medical photos, license plate numbers, Social Security numbers, death dates, and digital signatures. Though the above information was compromised, Pharm-Pacc did not find any proof that indicates the misuse of any information. Impacted persons were informed concerning the breach on September 11, 2023. The breach report was submitted to the HHS’ Office for Civil Rights indicating that 3,749 individuals were affected.

Data Breaches Reported by IBM, Hospital Sisters Health System, University of Massachusetts Chan Medical School, Lifeline Systems Company and Milan Eye Center

IBM Informs Janssen CarePath Patients Concerning Unauthorized Database Access

IBM lately reported that the sensitive information of patients of Janssen CarePath, a Johnson & Johnson Health Care Systems subsidiary, has been compromised. IBM manages the software and database that is used with the Janssen CarePath platform and hence is a business associate of Johnson & Johnson. Janssen recently discovered a technique that can be employed by unauthorized persons to access the database and informed IBM, which notified the database company and fixed the problem. IBM likewise carried out an investigation to find out if unauthorized individuals accessed the database. It was confirmed that unauthorized access happened on August 2, 2023; nevertheless, it wasn’t possible to ascertain the nature of the unauthorized access and whether patient information was extracted.

Considering that patient information could have been accessed, IBM sent notification letters to the impacted Janssen CarePath consumers. The information compromised contained names along with at least one of these data types: contact details, birth date, medical insurance data, prescription drugs, and healthcare ailments. IBM has provided the impacted persons with A year of free credit monitoring services.

There’s no post yet about the incident on the HHS’ Office for Civil Rights breach website, thus the number of individuals affected is presently uncertain, but it must be a lot as there are 1.16 million patients using the CarePath system in 2022.

Cyberattack on Hospital Sisters Health System

Hospital Sisters Health System (HSHS) encountered a cybersecurity incident that compelled it to shut down part of its IT system. The telephone system was deactivated, however, most of the hospital and clinic telephone lines had been restored. The hshs.org website was impacted and is currently redirecting to the domain hshsupdates.org, where patients can get regular updates.

Hospital Sisters Health System is based in Springfield, IL, and manages 15 hospitals located in Wisconsin and Illinois, which are operating following the downtime protocols until IT systems are safely restored on the internet. All emergency and hospital departments continue to be operational, and patients are being accepted and taken care of; nevertheless, patient billing services remain suspended. It is too soon to say at this point of the investigation how much patient information was compromised.

MOVEit Transfer Hack Resulted in PHI Theft

The University of Massachusetts Chan Medical School recently stated that the protected health information (PHI) of 134,394 people was breached by the Clop hacking group, which took advantage of a zero-day vulnerability identified in the MOVEit Transfer file transfer program.

The impacted persons had signed up in a state program via the medical school based in Worcester, MA, like the State Supplement Program, MassHealth Community Case Management, MassHealth Premium Assistance, or the Executive Office of Elder Affairs and Aging Services Access Points home care programs. The breached data consists of names, birth dates, addresses, financial account numbers, Social Security numbers, and medical data (diagnosis, treatment details, prescription data, names of providers, dates of service, claims data, and medical insurance data. Free credit monitoring and identity theft protection services were provided to the impacted persons.

Lifeline Systems Company Informs Patients Concerning the Cyberattack in August 2022

Lifeline Systems Company based in Marlborough, MA provides patient alarm systems. It lately sent notifications to 74,849 people regarding a data breach that happened over one year ago. Based on the notification letters, it detected strange network activity on August 6, 2022. Incident response protocols were quickly started. A third-party computer forensic investigation was begun to look into the dynamics of the incident.

The investigation affirmed that an unauthorized person accessed its systems between July 27, 2022, and August 6, 2022, and viewed selected files on its systems during that period of time. Lifeline confirmed on August 18, 2022 that the files contained data for subscribers, workers, and persons qualified to get Lifeline services. The breached information contained names, Social Security numbers, and driver’s license numbers.

Because of the period of time it took to carry out the review of documents, notification letters cannot be sent before September 7, 2023. Free credit monitoring services were provided to persons whose driver’s license number or Social Security number was exposed. Lifeline mentioned it has improved its network tracking functions and will still perform system audits to identify unauthorized activity.

Milan Eye Center Reports EHR Vendor Breach

Network of eye surgery centers, Milan Eye Center based in Atlanta, GA, has begun informing 67,336 patients about the compromise of some of their PHI during a security incident that occurred at iMedicWare Inc., its third-party vendor. Milan Eye Center stated it was notified about a data breach incident on December 9, 2022, and started an investigation that confirmed on July 24, 2023 the unauthorized access to some historical patient archives maintained by iMedicWare between May 18, 2020, and July 23, 2020.

The records contained data like names, dates of birth, phone numbers, insurance coverage data, service areas, dates of service, medical statuses, and Social Security numbers. It wasn’t possible to know precisely which patient data were viewed, hence notification letters were delivered to all people who got healthcare services on or prior to July 23, 2020. Free credit monitoring services were provided to the impacted persons.

Milan Eye Center stated that iMedicWare is no longer its electronic health record vendor and mentioned extra technical safety measures and guidelines were applied to improve data system security.

HC3 Gives Warning About the Rhysida Ransomware Group and the Increasing Data Breaches for M&As

The HHS Health Sector Cybersecurity Coordination Center (HC3) has released a security advisory regarding a new ransomware group called Rhysida, which is carrying out high-impact attacks in several industries. Attacks were carried out in Australia, Western Europe, North, and South America, and with Italy, the United States, the United Kingdom, and Spain suffering the most ransomware attacks. The main targets seem to be in the government, education, technology, and manufacturing industries, however, the group has carried out a number of ransomware attacks on the healthcare and public health (HPH) segment.

Rhysida is a ransomware-as-a-service group that gets affiliates to perform attacks utilizing its ransomware variant. The affiliate gets a percentage of the generated ransom payments. The group was initially discovered in May 2023. Its ransomware variant seems to be in the beginning phases of development as it does not have the sophisticated capabilities observed in the ransomware variants employed by more renowned threat groups.

Rhysida ransomware is downloaded after getting preliminary access to victims’ systems via phishing attacks and vulnerability exploitation of the software. The Cobalt Strike attack system is used on breached systems and employed to install the ransomware payload. The ransomware employs a 4096-bit RSA key along with the ChaCha20 algorithm for file encryption. A PDF ransom note is slipped into the encrypted drives, which requires Bitcoin payment in exchange for the data decryption keys and stop the exposure of the stolen information. There is no mention of the ransom amount in the notes. Victims needed to contact the ransomware group using TOR to make a deal on payment. Rhysida was responsible for the attack on the Chilean Army and has 8 attacks posted on its data leak website at this point, and publicized stolen information from five attacks.

Security researchers have not confirmed if there’s a link between other ransomware or cybercriminal groups and the Rhysida ransomware-as-a-service operation. But a number of security researchers think there could be a connection with the Vice Society group, which likewise mainly attacks the Education field. HC3 has released Indicators of Compromise (IoCs) in the advisory to enable network defenders to identify attacks and a few proactive actions for healthcare providers to strengthen their security and stop attacks.

Healthcare Data Breach Risk Increases Two-fold in 2-Year Window Around M&As

Based on new research by Ph.D. candidate Nan Clement of the University of Texas at Dallas, the risk of a data breach occurring at hospitals increases two-fold a year before and after mergers and acquisitions (M&As).

Clement reviewed data breach information from the HHS’ Office for Civil Rights (OCR) for the years 2010 to 2022 and compared the documented data breaches to M&A information in about the same time period and determined that the likelihood of a data breach was 3% for hospitals that merged during the assessed time period. However, the risk increased twofold to 6% for merger targets, sellers, and buyers in two years, inclusive of a year before and after the merger was made. Clement likewise determined that occurrences of hacking and insider breaches went up after announcing a hospital merger or purchase. Google Trends information also revealed a rise in queries for the name of the target hospital right after the announcement, and a link was seen to the hacking activity.

Ransomware attacks and hacking during this sensitive time were discovered to happen more often throughout the two-year window of M&As. During this sensitive period, cybercriminals may sense the higher chances that ransom demands are going to be paid, and there could be a rise in vulnerabilities that could be taken advantage of as a result of incompatibilities among two hospitals’ data systems and vulnerabilities and errors by staff can quickly be taken advantage of by cybercriminals. The FBI formerly released an alert to organizations that hackers, and particularly ransomware groups, usually employ important financial occasions like M&As to attack companies, since it provides them with more control. Clement additionally discovered a rise in insider misconduct during the two-year time period around M&As.

Based on the newly released IBM Security report entitled “Cost of a Data Breach Study,” healthcare data breaches currently spend more or less $11 million per data breach – higher than data breaches in any other industry and the HHS’ Office for Civil Rights breach site data indicates there is a big upsurge in hacking cases in the last couple of years. Considering the substantial cost of data breaches, it is important for hospital administrators, cybersecurity specialists, and health, security, and finance experts to come together to improve cybersecurity steps in hospitals, advises Clement in the paper. Clement discovered that mergers involved with publicly exchanged hospitals frequently encounter a reduction in data breaches throughout mergers. “Hospital managers ought to think about taking on the risk management processes generally used by professional investors and openly traded private hospitals. This integration of risk management practices can result in better overall organizational capital for safeguarding the hospitals.

During the 22nd Workshop on the Economics of Information Security in Geneva last month, the results from the peer-analyzed paper, M&A Effect on Data Breaches in Hospitals: 2010-2022, were discussed.

 

Data Breaches Reported by Southern Association of Independent Schools, Harris Health Systems, New England Life Care and Other HIPAA Covered Entities

Highly Sensitive School Records of 700,000 Individuals Exposed on the Web

Highly sensitive data of 682,438 teachers and students from independent schools were left accessible to the public online without requiring a password. Security researcher Jeremiah Fowler discovered the compromised 572.8 GB database and tracked the files in the database to be from the Southern Association of Independent Schools, Inc (SAIS).

The database included highly sensitive data of teachers and students. Every student file contained a picture of the student, and their home address, birth date, age, medical data, and Social Security number. Fowler stated he found third-party security information that contained particulars of problems in school security, the camera locations, access and entry areas, active shooter and lockdown notices, school maps, teacher background records, financial budgets, and more. Fowler immediately informed SAIS, which quickly secured the database.

Fowler could not find out the duration of exposure of the database and when it was used by unauthorized persons. He mentioned the database was a valuable resource for cybercriminals on varied levels. The database was stored in a cloud database and was wrongly set up to be without password protection. The database seemed to be the primary server of SAIS, and the exposure didn’t seem to be because of a vendor settings problem.

Harris Health Systems Reports 225,000-Record Data Breach

Harris County Hospital District, dba Harris Health System, has lately announced a data breach impacting 224,703 patients. On June 2, 2023, Harris Health System received notification concerning the identification of a zero-day vulnerability in the MOVEit Transfer file transfer solution. The vulnerability was promptly resolved; nevertheless, the forensic investigation showed hackers had taken advantage of the vulnerability on May 28, 2023, and extracted files from the database.

The analysis of the impacted files showed they included data like names, addresses, dates of birth, medical record numbers, Social Security numbers, immigration standing, driver’s license numbers/ other government-issued ID numbers, medical insurance data, procedure data, treatment expenses, diagnoses, prescription drugs, names of provider, and dates of service.

Harris Health System claimed it has patched the vulnerability and took extra steps to enhance the protection of its MOVEit server. Impacted persons were informed regarding the breach on July 21, 2023, and those whose Social Security numbers were exposed received credit monitoring and identity theft protection services for free.

New England Life Care Announces Data Breach of 51,854 Records

New England Life Care based in Portland, ME states it discovered a security breach on May 24, 2023, that interrupted its IT systems. The incident was quickly secured as a third-party cybersecurity agency carried out a forensic investigation. The analysis affirmed that the compromised files included patient information like names, addresses, equipment/service details, and patient standing (active/discharged).

The 51,854 impacted patients received notification via mail on July 21, 2023. New England Life Care stated extra safety and technical measures were enforced to avoid the same occurrences later on.

Park Royal Hospital Reports Unauthorized Email Account Access

Park Royal Hospital located in Fort Myers, FL identified unauthorized access to the email account of an employee. The security incident was discovered on May 15, 2023. It was confirmed by the forensic investigation that the email account was compromised on May 8, 2023. The email account included protected health information (PHI) like patient names, provider names, treatment dates, diagnosis, and treatment details. The hospital stated extra safety measures and technical security measures were enforced to further secure and keep track of its systems.

The investigation of the incident is still in progress, after which the notification letters will be sent by mail. Park Royal Hospital already reported the breach to the HHS’ Office for Civil Rights indicating that at least 500 people were affected.

Email Accounts Breach at Unified Pain Management

Konen & Associates, dba Unified Pain Management based in Texas, has lately informed the HHS’ Office for Civil Rights regarding an email account breach affecting approximately 500 records. On March 21, 2023, it detected suspicious activity in its company email accounts. Steps were quickly undertaken to avoid continuing unauthorized access. A third-party digital forensic company carried out an investigation; nevertheless, it cannot be determined whether any data inside the email accounts were accessed or stolen.

The analysis of the emails affirmed that they included data like patient names, addresses, medical insurance policy numbers, payment details, Social Security numbers, and medical data for instance treatment and diagnosis data. Steps were undertaken to enhance email security and impacted persons were provided free credit monitoring and identity theft restoration services.

Around 170,450 Patients Impacted by Chattanooga Heart Institute Cyberattack

The Chattanooga Heart Institute (CHI) based in Tennessee has lately reported that it discovered a cyberattack on its system on April 17, 2023. Immediate action was undertaken to avoid continuing unauthorized access. A third-party forensics company investigated the attack to find out the nature and extent of the attack. It was confirmed that unauthorized persons acquired access to its system from March 8, 2023 to March 16, 2023. Then, on May 31, 2023, the attackers copied files that contain sensitive patient information.

The attack did not compromise CHI’s electronic medical record system; nevertheless, the files extracted from its system were identified to include names, email addresses, mailing addresses, telephone numbers, dates of birth, Social Security numbers, driver’s license numbers, account data, medical insurance details, diagnosis/condition data, laboratory results, medicines, and other demographic, medical, or financial details. CHI will send notification letters to the impacted persons soon and will offer identity theft restoration services, credit monitoring, and fraud consultation.

The breach report was submitted to the Maine Attorney General indicating that around 170,450 persons were affected. Although CHI didn’t reveal the cybercriminal group that was responsible for the attack, there was an announcement from the Karakurt group that it is behind the attack. Karakurt is a fairly new threat actor without qualms regarding attacking healthcare companies.

Research on EU Health Sector Cyber Attacks Reveals That Ransomware is the Top Threat

The European Union Agency for Cybersecurity (ENISA) has released the outcome of its first evaluation of the cyber threat landscape of the health industry in the European Union (EU). ENISA noted healthcare cyber cases from January 2021 to March 2023 and determined the major targets of the cyberattacks, the threat actors responsible, cyberattack trends, and the effect that cyberattacks have on the healthcare industry.

A variety of healthcare entities encountered cyberattacks in the period of two years, which include health authorities, organizations and institutions, and pharma companies; nevertheless, most attacks focused on healthcare providers (53%), particularly hospitals (42%). In two years, ENISA reviewed 215 publicly announced cyber attacks in the EU and closeby countries. 208 cyberattacks were on the health industry. The analysis contained 5 reports of discovered vulnerabilities (not specifically exploited), and two warnings of prospective cyber activity impacting the health industry. ENISA states that cyber incidents have continued to be steady although there seems to have been a rise in cyberattacks in 2023, with 40 incidents examined between January and March, in contrast to 91 incidents in 2021 and 84 in 2022.

46% of all attacks involved healthcare information and 83% of attacks were financially driven considering the high cost of healthcare information. 10% of attacks were motivated by ideology. The most typical result of attacks was data breaches or stolen data (43%), then problems with non-healthcare services (26%) and interrupted healthcare services (22%). Throughout the research period, ransomware presented the greatest threat. 53% of incidents were ransomware attacks and 43% of ransomware attacks involved stolen data or data breaches. The ransomware attacks also had the greatest impact on healthcare companies. Ransomware attacks grew from 2021 to 2022, and seem like they have kept on increasing in 2023. LockBit 3.0, the BlackCat and Vice Society groups were responsible for most of the attacks.

A considerable percentage of the analysis period happened during the COVID-19 pandemic era. At this time, the healthcare industry had been a major target for malicious actors. The pandemic was connected to the rising ransomware attacks as well as the rising data leak incidents. Although data leak incidents happened because of malicious activity, they were likewise normally brought on by bad security tactics and wrong configurations. Healthcare companies had trouble establishing a new way of working at the time of the pandemic and cybersecurity was usually overlooked because of demanding operational requirements.

Near the end of the study, geopolitical movements brought on a rise in hacktivist occurrences. Pro-Russian hacktivist groups like KillNet conducted DDoS attacks on healthcare providers to disrupt healthcare services to retaliate against supporters of Ukraine. It is expected for these attacks to go on while the Russia-Ukraine war goes on, though the effect of these attacks is fairly low.

Cyberattacks on the health industry come with a financial expense; nevertheless, it is hard to precisely measure the cost. A 2022 ENISA NIS Investment research indicates the median cost of a big security incident to be €300,000 ($328,870); nonetheless, the major problem is patient security, since the attacks frequently create a delay to triage and patient treatment. Also, data breaches can potentially impact the health and safety of patients.

In spite of the magnitude to which ransomware was employed in attacks, 27% of healthcare companies didn’t have a focused ransomware defense plan. The research likewise showed insufficient security awareness training for non-IT employees, with just 40% of primary equipment suppliers offering security awareness instruction to non-IT employees. Being the case on the other side of the Atlantic, it is common to have risk analysis failures. Another survey done by the NIS cooperation group observed almost all healthcare companies (95%) consider risk analyses difficult, with 46% confessing to never doing it.

More and more healthcare cyberattacks take advantage of poor patch management practices. 4% of verified data exposure/data breaches in 2021 and 2022 took advantage of vulnerabilities to acquire access to healthcare systems or exploited system misconfigurations. 80% of healthcare companies that were questioned stated over 61% of their security cases were because of unpatched vulnerabilities.

The fact that a lot of companies encounter challenges with risk analyses and that most have never done one indicates that this is a key area to deal with to enhance toughness against cyberattacks. ENISA additionally states important priorities should be making offline encrypted backup copies of mission-critical information, giving security awareness instruction for all employees, performing routine vulnerability scans and immediately patching vulnerabilities, enhancing authentication procedures, making sure to create, maintain and practice basic cyber incident response plans, and making senior management to invest in enhancing cybersecurity.

Seven Healthcare Providers Report Data Breach Due to Cyberattacks

Fortra GoAnywhere Hack Impacts Intellihartx

The payment and collections service provider based in Tennessee, Intellihartx, lately reported the theft of the personal and health data of 489,830 persons due to a hacking and extortion attack. At the end of January and beginning of February 2023, the Clop ransomware group gained access to the information of around 130 firms by exploiting a zero-day vulnerability found in Fortra’s GoAnywhere MFT. Although Clop frequently makes use of ransomware for file encryption, the group only conducted theft and extortion of data and issued demands for payment to stop the public exposure of the stolen information.

Intellihartx discovered that it was impacted by the breach on February 2, 2023, and started an investigation to find out the extent of the breach. Initial results were received on March 24 that suggested the potential theft of sensitive information, and information owners got notifications on April 11, 2023. The detailed analysis of the impacted files affirmed on May 10, 2023 the compromise of the protected health information (PHI). The evaluation was done on May 19, 2023.

Intellihartx’s evaluation of the files extracted by Clop confirmed they included data like patient names, birth dates, addresses, diagnoses, prescription drugs, insurance details, billing data, and Social Security numbers. Intellihartx stated it restored the file transfer program and integrated extra security procedures to avoid the same breaches later on and has already informed impacted individuals and provided them with free membership to credit monitoring services.

Cyberattack Affects Petaluma Health Center Patients

Petaluma Health Center located in California has issued notification letters to present and past patients telling them about the potential stealing of some of their PHI. The health center detected a network security incident and immediately blocked it on March 14, 2023. The forensic investigation didn’t get any proof that suggests theft and improper use of patient data. Nevertheless, data theft be eliminated.

The files likely stolen during the attack contained first and last names, addresses, birth dates, Social Security numbers, medical data, and health data, with the impacted data differing from one person to another. Security was remarkable to avoid the same breaches later on and impacted persons seem to have been provided free single-bureau credit monitoring services.

The number of individuals that were affected by the breach is still uncertain.

North Shore Medical Labs Patients Affected by Cyberattack and Data Theft

The clinical reference lab in Williston Park, NY, North Shore Medical Labs, began informing patients that some of their PHI were compromised in a data security incident discovered on March 29, 2023. According to the investigation on May 12, 2023, files were likely viewed and stolen that included names, dates of birth, and medical lab data.

A malicious actor initially acquired access to its networks on December 22, 2022. The laboratory blocked access on March 31, 2023. It was confirmed by the forensic investigation that files were extracted from its network from March 17 to March 31. North Shore Medical Labs stated it did not receive any report of patient data misuse because of the incident. Data security policies and training practices were audited and security measures and monitoring software were improved to minimize any risk linked to the incident and to stop more security problems down the road.

The data breach report submitted to the HHS Office for Civil Rights indicated that 500 persons were affected. That is only a placeholder employed to satisfy reporting prerequisites until the complete scope of the breach is available.

Alvaria Ransomware Attack Affects Shasta Community Health Center

Shasta Community Health Center located in Redding, CA lately reported the compromise of patient information due to a ransomware attack on Alvaria, Inc., its business associate. Based on the breach notice, there was a sophisticated ransomware attack on Alvaria on March 9, 2023, that affected a portion of the network that included clients’ workforce management and outbound dialer information.

Based on the notification letter, the attack happened on March 9, 2023, and was immediately remediated, with information recovered from backup files. The analysis affirmed that the exposed information contained names, addresses, telephone numbers, and associated healthcare company names. Alvaria mentioned in the breach notification letters that immediately after making the network secure, more safety measures were enforced to additionally boost system security. Affected individuals received credit monitoring services.

Alvaria affirmed in February that it encountered a Hive ransomware attack last November 2022. It is not clear whether the two incidents are connected.

Summit Eye & Optical Suffers a Data Breach

Summit Eye & Optical located in Summit, NJ lately affirmed that an unauthorized person acquired access to its system and possibly accessed or acquired the PHI of 5,727 patients. The provider discovered the breach on March 4, 2023, and sent notifications to impacted persons on May 18, 2023.

Summit Eye & Optical affirmed that the data likely compromised in the cyberattack contained complete names, addresses, medical backgrounds, treatment details, and other personal data. The provider evaluated its internal data management and practices and improved its security to stop the same incidents later on. Affected individuals received free identity theft protection services.

Unauthorized Email Access Incident at Sparta Community Hospital District

Sparta Community Hospital District based in Illinois has reported the exposure and potential theft of the PHI of around 900 patients by an unauthorized person who accessed the email account of an employee between March 27, 2023 and March 28, 2023.

The hospital district discovered the breach on March 28 and quickly secured the account. The analysis of the account on April 12, 2023 revealed that it included patient data like names, addresses, telephone numbers, birth dates, medical record numbers, names of physicians, health diagnoses, and limited treatment data. There was no financial data nor Social Security numbers compromised.

Mission Community Hospital Cyberattack

Mission Community Hospital located in California is looking into a cyberattack that happened on April 29, 2023. It is claimed by the RansomHouse threat group that it launched the attack on the San Fernando Valley acute care hospital and it boasted of having exfiltrated over 2.5 terabytes of data. A portion of the stolen data was published on its data leak website. The leaked information consists of medical imaging records, employee information, and financial data.

The hospital discovered the ransomware attack on May 1 when checking out a hardware malfunction and discovered proof of an attack that took advantage of vulnerabilities in its system and VMware environments. It is not yet confirmed the amount of accessed or stolen data.

 

Five Healthcare Victims of Ransomware Attacks

There is a growing trend in breach notifications that do not disclose the exact nature of a cyberattack and whether patient data was stolen. The inability to give this data makes it hard for data breach victims to evaluate the degree of risk they are confronted with. That seems to be what happened with the first two cyberattacks. Both did not mention the ransomware or affirm the data theft that took place.

Albany ENT & Allergy Services Ransomware Attack

In early May 2023, the ransomware groups RansomHouse and BianLian put Albany ENT & Allergy Services (AENT) on their data leak websites, and claimed the theft of 1TB of data from its network prior to file encryption. Proof of data theft was posted on the data leak site of RansomHouse.

Albany ENT & Allergy Services has already stated in its notification letter sent to the Maine Attorney General that unauthorized persons acquired access to its system, which stored the protected health information (PHI) of 224,486 persons, which include 61 Maine locals. AENT mentioned in the letters the detection of suspicious activity in its computer system on March 27, 2023. It conducted a third-party forensic investigation to find out the nature and extent of the data breach. AENT mentioned it confirmed the unauthorized access of an individual to select systems that saved personal data and PHI from March 23, 2023 to April 4, 2023. An analysis of those files affirmed they included employee and patient data like names and Social Security numbers.

AENT began sending notifications to affected persons on March 25, 2023 and offered A year of free credit monitoring services. Because it seems there was data theft according to the statements of the ransomware groups, impacted persons must make sure they make the most of those free services. AENT stated it is going over its guidelines and procedures, will give extra training to its staff, and will be carrying out extra safety measures to further protect data in its systems.

Vascular Center of Intervention, Inc. Ransomware Attack

Surgical Center Vascular Center of Intervention, Inc. (VCI) based in Fresno, CA recently informed patients concerning a security breach discovered on March 29, 2023. As per the notification letters, the forensic investigation of strange network activity established that an unauthorized person might have duplicated or accessed selected documents kept inside VCI’s environment from February 25, 2023 to March 29, 2023.

The analysis of the files was finished on May 17, 2023, and mentioned that names were affected together with at least one of the following: medical background, mental or physical ailment, or medical treatment or examination by a health care expert, birth date, medical insurance details, Driver’s license and/or Social Security Number data. VCI stated current safety measures were improved to further boost security. It sent a notification to the California Attorney General that reveals California locals at least will be offered one year of free identity theft protection and credit monitoring services.

The notification letters did not mention that the BianLian group professed accountability for the attack. The group stated on its data leak website that it extracted 200 GB of information from its systems. The BianLian group performs ransomware attacks, though this year has mostly turned to extortion-only cyberattacks.

It is presently uncertain how many persons were impacted.

Ohio Business Associate Encounters Ransomware Attack

Marshall Information Services (also known as Primary Solutions Inc.) issues notification letters that offer more information. This billing solutions provider to healthcare companies based in Ohio lately informed 7,456 people of having encountered a ransomware attack in August 2022 that blocked access to its systems. It was confirmed by its forensic investigation that the attackers got access to areas of the system that comprised files with the PHI of a number of its covered entity customers, and those files were potentially accessed or obtained during the attack.

The notices state that the files included first and last names together with a few or all of these data elements: address, birth date, Social Security number, medical data like diagnosis, ailment, or treatment, Medicare or Medicaid number, medical record number, individual medical insurance policy number, and in limited instances, payment card details.

A third-party provider examined all the impacted files to determine the affected persons and that evaluation established on February 22, 2023, that PHI was compromised. It is uncertain why that procedure took such a long time. Every covered entity was subsequently informed, and Primary Solutions stated it then caused those clients to inform the impacted persons. Primary Solutions stated free credit monitoring and identity restoration services are being provided via IDX, and it advises affected persons to sign up for these services.

After the incident, Primary Solutions made certain to implement multifactor authentication for remote access, updated configurations to make certain employees access systems using a virtual private network (VPN) that have multifactor authentication and implement a new endpoint detection and response (EDR) solution.

Theft of 2.5 M Individuals’ Clinical Test Data in Enzo-Biochem Ransomware Attack

The biotech and diagnostics firm, Enzo Biochem, based in Farmingdale, NY recently stated in an 8-K filing with the Securities and Exchange Commission about the compromise of the clinical test data of 2.470,000 patients in a ransomware attack that occurred in n April 6, 2023. Enzo Biochem mentioned it took immediate action to secure its system once the breach was discovered. Although the incident disrupted business procedures, all of its services continued to be available to patients and partners.

Enzo Biochem offers treatment options for cancer, infectious and metabolic diseases, and screening services for various transmissible illnesses like STDs and COVID-19. On April 11, 2023, Enzo Biochem confirmed the access to information associated with those services, and its exfiltration in certain instances. The stolen information included names, testing data, and Social Security numbers for around 600,000 individuals. Enzo Biochem is looking into the incident to find out whether employee data was likewise exposed.

Enzo Biochem stated it has incurred and may still incur costs associated with the incident and is analyzing the overall financial effect of the ransomware attack. The company has affirmed that impacted persons will receive a mail about whether their data was deleted and the incident is going to be reported to proper regulatory agencies.

Medford Radiology Group Cyberattack During Memorial Day Weekend

Medford Radiology Group located in Oregon is still recovering from a cyberattack that happened during the Memorial Day weekend. The cyberattack took place on the morning of May 26, 2023. Access to medical images was blocked. The attack investigation is in progress to find out the nature and extent of the breach and the degree of compromise of patient data. Medford Radiology Group stated this was a major cybersecurity attack.

Third-party cybersecurity specialists are looking into the breach and are helping the Group’s support services. All accessible resources are being utilized to provide radiology services and patient care. Although the investigation continues to be in the first stages, Medford Radiology is convinced the incident was restricted to its internal programs and there is no impact on its outside partners.

 

Data Breaches Due to Cyberattack in PillPack, Fertility Specialists Medical Group, CommonSpirit Health, and IMA Financial Group

19,000 Customer Accounts Compromised in PillPack Cyberattack

The online pharmacy, PillPack, owned by Amazon has lately begun informing 19,000 clients about the compromise of their protected health information (PHI) due to a cyberattack that occurred in April. PillPack detected unauthorized client account activity on April 3, 2023. The investigation showed that customer accounts were viewed by an unauthorized third party from April 2 to April 6, 2023. The breached accounts included names, telephone numbers, addresses, and email addresses. Roughly 3,600 accounts also contained prescription data.

According to the forensic investigation, the attacker did not steal the usernames and passwords used to get access to the accounts. Most likely, the credentials were taken from a breach that happened at a platform that used the same usernames and passwords. These kinds of credential-stuffing attacks could only happen because the usernames and passwords were used on several platforms. PillPack hasn’t received any report of misuse of customer information, and the types of data in the accounts aren’t enough to be employed for identity theft. Nevertheless, breach victims can be susceptible to phishing attacks to acquire more information. PillPack stated that the breach only affected PillPack and mailed notification letters to impacted persons.

9,400 Patients Affected by Fertility Specialists Medical Group Cyberattack

Fertility Specialists Medical Group (FSMG) based in Carlsbad, CA recently found out that unauthorized persons acquired access to its system and possibly got the PHI of 9,437 present and past patients. FSMG detected the network attack on March 20, 2023, and started a third-party forensic investigation to find out the nature and extent of the attack. The investigation ended on April 21, 2023 and revealed that an unauthorized person got access to the system and possibly obtained files that contain first and last names, birth dates, and medical data. A number of the impacted persons likewise had their Social Security numbers compromised. FSMG did not receive any report of misuse of the compromised information when notifications were sent.

FSMG stated IT experts checked the systems security, and will regularly review the data security measures to stop the same occurrences down the road. The healthcare provider offered free credit monitoring and identity theft protection services to all impacted persons.

Fortra GoAnywhere Hack Impacts Northwest Health – La Porte

Northwest Health – La Porte located in Indiana lately reported the compromise of the PHI of 10,256 patients during the series of attacks by the Clop ransomware group from January 28, 2023 to January 30, 2023. The attackers took advantage of a zero-day vulnerability present in Fortra’s GoAnywhewre file transfer software program and extracted information, which the attackers used in its efforts to extort money from affected individuals.

Fortra stated that it has already blocked unauthorized access, and it has rebuilt the file transfer platform with appropriate patching of the vulnerability. It offered the affected person ID restoration and credit monitoring services for the period of time established by state legislation.

PHI Possibly Exposed in IMA Financial Group, Inc. Cyberattack

The integrated financial services firm called IMA Financial Group, Inc. based in Wichita, KS has reported the potential theft of the PHI of 2,937 persons associated with IMA or its customers by unauthorized persons.

IMA detected suspicious system activity on October 19, 2022. It took immediate steps to protect its systems and engaged a third-party cybersecurity company to check into the incident. According to the investigation, unauthorized persons accessed IMA data and potentially stole that information on October 19, 2023.

The data analysis revealed on March 10, 2023 that the potentially stolen files in the attack contained PHI including names, birth dates, driver’s license information, Social Security numbers, other government ID numbers, medical data, and/or claim-related data. Updated contact data is needed to begin sending notification letters on April 19, 2023.

$160 Million Cost of Ransomware Attack

CommonSpirit Health has given a current estimate of the cost of the ransomware attack last October 2022, which is likely to go up to $160 million. CommonSpirit Health detected the ransomware attack on October 2, 2022 and took its systems offline. The attack impacted more than 100 present and past CommonSpirit establishments in 13 states. According to the forensic investigation, hackers initially acquired access to its system on September 16, 2022, and were blocked on October 3, 2022. The attackers took information from two file servers, but they failed to access its health record system. The stolen data included the PHI of more or less 624,000 patients.

CommonSpirit Health manages 143 hospitals and about 2,300 healthcare establishments in 22 states. It is the second-biggest non-profit health system in America. In the first quarter, CommonSpirt’s total revenue is $8.3 billion for 3 months up to March 31, 2023. Its total revenue is $25.6 billion for nine months up to March 31. In the first quarter of 2023, CommonSpirit reported $648 million in operating losses and $1.1 million in losses for the 9 months to March 31. The healthcare provider’s net losses are $231 million for the 3 months period and $445 million for the 9-month period because of better investment profits. CommonSpirit stated the ransomware attack didn’t have any effect on the operating results of the present quarter.

The ransomware attack was at first approximated to cost about $150 million, however, another $10 million in expenses were added to that amount. The higher cost considers lost income because of business disruption, costs acquired restricting the ransomware attack, and other company-associated expenses. In a meeting with investors, CommonSpirit discussed that the majority of of the $160 million is likely to be retrieved from underwriters, though retrieval of the expenses is likely to take some time. CommonSpirit additionally pointed out in its quarterly report that there’s a pending class action lawsuit associated with the ransomware attack and data breach. The lawsuit was submitted in December 2022 in X. Allegedly, CommonSpirit failed to apply sensible and proper security options to secure patient information. The lawsuit wants injunctive relief, compensation for the plaintiff and class up to $5 million, and legal expenses.

Data Breaches Reported by NetGen Healthcare, NationsBenefits Holdings and Murfreesboro Medical Clinic & SurgiCenter

NetGen Healthcare Breach Impacts Over 1 Million Individuals

NextGen Healthcare has begun informing over 1 million people throughout the United States regarding a hacking incident that compromised their protected health information (PHI). NextGen Healthcare based in Atlanta, GA provides electronic health records (EHR) and practice management services to physicians and providers of ambulatory care. It detected on March 30, 2023 suspicious activity in its NextGen Office system. Third-party cybersecurity specialists performed a forensic investigation to find out the nature and extent of the data breach. The investigation showed unauthorized persons got access to the system from March 29, 2023 to April 14, 2023.

The attackers acquired access to a minimal dataset throughout that period of time. Accessed data included names, addresses, birth dates, and Social Security numbers. There is no proof found that suggests the attackers viewed patient health records or any medical information. There is likewise no report of any attempted or actual misuse of patient information. NextGen Healthcare reset passwords upon discovery of the breach. It also implemented extra security measures to reinforce security. The provider has started sending notification letters to impacted individuals and offered them free credit monitoring and identity theft protection services for two years.

The data breach is not yet posted on the HHS’ Office for Civil Rights breach website, however, it is already reported on a number of state Attorneys General websites. It was indicated on the breach notification submitted to the Maine Attorney General that 1,049,375 persons were impacted, including 3,913 residents in Maine. The breach report submitted to the Texas Attorney General indicated that 131,815 Texas residents were affected.

This is NextGen Healthcare’s second cyberattack in recent months. The first was in January 2023. The BlackCat ransomware group added NextGen to its data leak site, but the listing was removed later. Investigation of the incident revealed that no patient data was compromised or downloaded, and therefore this wasn’t considered a reportable data breach.

3 Million Record Data Breach at NationsBenefits Holdings

NationsBenefits Holdings, LLC is a company offering supplemental benefits, flex cards, and member engagement services to managed care companies and health plans. The company reported that it was impacted by the security breach associated with Fortra’s GoAnywhere MFT file transfer solution. Clop ransomware group was responsible for the attack, gaining access to NationsBenefits information on January 30, 2023, and extracting data from the GoAnywhere MFT solution. It demanded a ransom payment from the victim to stop exposing the stolen data. The group stole data from 130 organizations including NationsBenefits.

The Clop group took advantage of a formerly unknown (zero-day) vulnerability present in the GoAnywhere MFT solution, which made it possible for them to gain access and steal information from unsecured on-premises MFT servers. NationsBenefits Holdings stated the Clop ransomware group just accessed two MFT servers; nevertheless, an analysis of the records on those servers showed they included the PHI of 3,037,303 health plan members, which include but are not limited to, ACE, Aetna, Elevance Health Flexible Benefits Plan, as well as UAW Retiree Medical Benefits Trust. The breached data included: first and last name, telephone number, address, birth date, gender, Social Security number, health plan subscriber ID number, and/or Medicare number.

The security breach also affected the following healthcare organizations: Brightline (no less than 964,300 persons) and Community Health Systems (1 million persons); nevertheless, NationsBenefits is presently the worst impacted healthcare organization. A total of over 4 million persons had their PHI stolen in these attacks. NationsBenefits stated it knew about the security breach as soon as its security monitoring group got an advisory from an MFT server on February 7, 2023, revealing unauthorized access. It contacted Fortra and asked to help with the investigation. The preliminary analysis verified the access of the MFT server and the data theft. The succeeding internal investigation showed that the threat actor didn’t move into the other systems or applications of NationsBenefits.

NationsBenefits stated that before the attack, it has layered security controls set up and it has strengthened those security measures. NationsBenefits has taken its MFT servers completely offline and has switched to another file transfer solution that doesn’t depend on Fortra software. Notification letters were sent by mail to impacted persons starting on April 13, 2023. Complimentary credit monitoring services have been offered for 24 months.

Ransomware Attack Leads to 2 Week Operations Shutdown at TN Medical Clinic

Murfreesboro Medical Clinic & SurgiCenter (MMC) based in Tennessee encountered a cyberattack that compelled the healthcare company to fully close operations for about two weeks to control the attack and reestablish its IT systems. It is usual for healthcare companies to carry out an emergency network shutdown to control a cyberattack and limit the damage done, and to work following emergency protocols with personnel recording patient data by hand while systems are inaccessible. With certain attacks, ambulances are redirected to other hospitals, and a few appointments are postponed to ensure patient safety, however. the interruption brought on by this attack was a lot more extensive.

The cyberattack happened on April 22, 2023 resulting in the quick shutdown of the network to control the attack. Third-party cybersecurity specialists helped with the investigation and recovery efforts. MMC stated the quick action done following the security breach restricted the problems caused. Work continued 24/7 to securely restore systems online and improve security measures. MMC together with cybersecurity specialists and authorities inspected the incident to find out the scope of the attack, and although those procedures were done, it was decided to shut down all operations. MMC prepared to have a limited reopening on May 3, 2023, then have complete operations soon after that; nevertheless, the restoration process took more time than intended.

The MMC Pediatric and Internal & Family Walk-In Clinics located on Garrison Drive reopened on May 4, 2023, however, all other clinics were closed. On May 5, 2023, all surgical procedures in its SurgiCenter, Gastroenterology treatments, Laboratory and Radiology services did not push through, MMC Now clinics stayed closed, though telephone lines were recovered. On May 6-7, MMC Pediatrics continued regular weekend operations, however MMC Now Family Walk-In Clinics and Laboratory and Radiology services stayed shut during the weekend. On May 8, 2023, operations continued to be limited, though a few scheduled consultations went ahead as intended, though MMC Now Family Walk-In locations and lab and radiology services stayed shut.

MMC is serious about keeping sensitive patient and worker data secure, however, like a lot of other companies throughout the country and in spite of its hard work, MMC is still a hot target of criminals trying to steal personal or company information. CEO Joey Peay of MMC stated that the company worked hard to communicate shutdowns with all individuals promptly utilizing all ways of communication available.

Although the precise nature of the cyberattack is not mentioned, this is known to be a ransomware attack with data theft. The impact on patient data is under investigation and MMC will make more announcements and give notifications as required when the investigation ends.

Data Breaches at Atlantic General Hospital, Lawrence General Hospital, OU Health and Other Healthcare Providers

A summary of data breach reports that were recently submitted to the HHS’ Office for Civil Rights, state Attorneys General, and the press.

Ransomware Attack at Atlantic General Hospital

Atlantic General Hospital (AGH) based in Berlin, MD, recently submitted a report of a ransomware attack to the Maine Attorney General that impacted roughly 30,704 people. AGH discovered the attack on January 29, 2023 after noticing the encryption of files. A third-party computer forensics firm helped with the investigation and confirmed the unauthorized access to files that contain patient data from January 20, 2023.

The analysis of the files was done on March 6, 2023, and it was confirmed that they included names, financial account data, Social Security numbers,
and at least one of these data types: treating/referring doctor, medical record number, medical insurance data, subscriber number, medical history data, or diagnosis/treatment details.

AGH mailed notification letters to the impacted persons on March 24, 2023. Impacted persons can avail a credit and identity monitoring services membership for one year for free. AGH gave its employees additional training and will implement more safety measures to stop the same attacks later on.

Hacking Incident at Lawrence General Hospital

Lawrence General Hospital based in Massachusetts just submitted a data breach report to the HHS’ Office for Civil Rights on February 23, 2023. Not much is known regarding the breach except that this hacking/IT incident affected 76,571 persons. As of March 29, 2023, the hospital has not yet published a notice on its website. Also, the breach is not yet posted on the Massachusetts Attorney General breach website.

Stolen Laptop Computer from OU Health

OU Medicine Inc. located in Oklahoma has submitted a breach report indicating that the protected health information (PHI) of 3,013 OU Health patients were affected. On December 26, 2022, the laptap computer of an employee was stolen. OU Health conducted an audit of the files believed to be stored in the laptop and confirmed on January 17, 2023 that unauthorized individuals may have accessed the emails that contained patient information like names, dates of birth, driver’s license numbers, account numbers, Social Security numbers, medical record numbers, names of provider, dates of service, medical insurance data, and diagnosis and treatment data.

Although there were no reported cases of patient data misuse, OU Health cannot exclude the possibility of unauthorized access to patient information. The healthcare provider notified all impacted persons and gave free credit monitoring services to those who had their Social Security numbers exposed.

Hacking incident at Majestic Care

Majestic Care provides community-based skilled nursing care across Indiana, Michigan, and Ohio. It reported a hacking incident last December 2022 that caused access problems to its IT systems. The provider detected the security breach on December 13, 2022, which resulted in making its information systems inaccessible up to December 16, 2022.

It was confirmed by a forensic investigation that the disruption was due to a malicious software program installed in its systems by an unauthorized person, who initially acquired access to the system on December 9, 2022. By February 3, 2023, the investigation also confirmed the likely unauthorized access to the system and extraction of files with personal data and PHI, such as names, birth dates, mailing addresses, phone numbers, driver’s license numbers, Social Security numbers, and data associated with the treatment and billing for healthcare.

The breach impacted 2,636 persons who got treatment services via Majestic Care Middletown Assisted Living LLC based in Indiana.

GoAnywhere Hacking Incident at Blue Shield of California

Blue Shield of California (BSC) has reported the theft of the PHI of 63,341 persons during a hacking incident. The zero-day vulnerability present in  the GoAnywhere Managed File Transfer-as-a-service (MFTaaS) program of Fortra was exploited.

BSC stated that it received notification about the breach on February 5, 2023, from Brightline Medical Associates. The company provides families and children with virtual behavioral health coaching and therapy. It was determined that there was a compromise in the file transfer application from January 28, 2023 to January 31, 2023. At that time, the attacker copied files that held sensitive data. These types of data were included in the files: name, date of birth, address, gender, phone number, Blue Shield subscriber ID number, e-mail address, plan group number, and plan name.

When Fortra discovered the breach, it immediately terminated unauthorized access to the system and took the application offline. Since then, the provider has applied the patch and rebuilt the application and gateway. BSC has given all impacted persons a free membership to credit monitoring and identity theft protection service by Experian IdentityWorks for 12 months.

The Clop ransomware group professed that it is responsible for the attacks and the data theft from 130+ companies, which include Community Health Systems.

GoAnywhere Hacking Incident at US Wellness Inc.

US Wellness Inc. based in Maryland has just reported that it was impacted by the GoAnywhere cyberattack, which led to the theft of the PHI of 11,459 members of the Blue Cross Blue Shield of Arizona.

US Wellness stated it detected the cyberattack on February 9, 2023. The following sensitive data were affected: names, addresses, dates of birth, where the services started, member ID numbers, and service locations. There was no misuse of the stolen information discovered. US Wellness stated it has taken steps to enhance security procedures to stop the same incidents later on. Impacted persons received notification regarding the breach on March 22, 2023.

Email Account Breach at Health Plan of San Mateo

Health Plan of San Mateo in San Francisco, CA recently reported an email account breach that led to the exposure and likely theft of the PHI of 4,032 plan members. The health plan discovered suspicious activity in its email environment on January 17, 2023. It was determined that an unauthorized person accessed an employee’s email account.

It is believed that the attacker accessed the account to change the employee’s direct deposit details and not to access plan member information. Nevertheless, unauthorized access to PHI cannot be excluded. The email account had a spreadsheet with names, dates of birth, member ID numbers, and some information about calls to the nurse advice line. Extra security procedures had been put in place to avoid the same incidents later on. Employees got additional training on identifying phishing attempts.

 

Exposure of Protected Health Information in 6 Recent Cyberattacks

Independent Living Systems, LLC (ILS), Florida Medical Clinic, Denver Public Schools, NorthStar Emergency Medical Services, The Bone & Joint Clinic, and Wichita Urology Group have lately reported cyberattacks resulting in the exposure and possible theft of protected health information (PHI).

Independent Living Systems

Independent Living Systems, LLC (ILS) based in Miami, FL provides managed care organizations with third-party administrative services. It recently notified the Maine Attorney General that it encountered a data breach that impacted approximately 4,226,508 people – the biggest healthcare data breach to date this 2023.

Based on the breach notification, ILS discovered suspicious activity inside its computer network on July 5, 2022. Third-party cybersecurity professionals helped ILS confirm that unauthorized people gained access to its system from June 30, 2022 to July 5, 2022, and obtained files that contain sensitive information.

ILS performed a detailed analysis of all impacted files and was given the findings of the analysis on January 17, 2023. ILS then confirmed those results and got updated contact details of the impacted persons who will be sent notification letters.

The data compromised included names, birth dates, addresses, state ID numbers, taxpayer ID numbers, Social Security numbers, financial account details, Medicaid/Medicare IDs, diagnosis codes/diagnosis data, dates of admission/discharge, mental/physical conditions, treatment details, food delivery data, prescription data, billing/claims details, and medical insurance data. The types of data differed from one person to another.

The impacted persons had earlier received services straight from ILS, through its covered entity subsidiaries: HPMP of Florida Inc (doing business as Florida Complete Care), and/or Florida Community Care LLC, or from other health plans/data owner clients.

On September 2, 2022, ILS stated it included an initial notice on its website, however, it did not issue notification letters until the analysis and validation process was done. Notification letters were sent to impacted persons on March 14, 2023. Impacted persons were provided free credit monitoring services.

ILS stated it was working on applying extra safety measures to stop more cyberattacks, which include strengthening its firewall, changing complexity prerequisites for credentials, applying extra internal security processes, updating its employee training practices, and giving its employees more training.

Florida Medical Clinic

Florida Medical Clinic has lately reported that it encountered a ransomware attack. The healthcare provider discovered the attack on January 9, 2023, and took immediate action to control the attack, which minimized data exposure, even though files were encrypted. The third-party forensic investigation revealed the attacker viewed files that included patients’ PHI; nevertheless, the electronic medical record system of Florida Medical Clinic wasn’t impacted.

In a comprehensive breach notice, Florida Medical Clinic mentioned that 94,132 files were compromised, each of which just included minimal patient data. 95% of the exposed files just contained a person’s name. The remaining files contained names, telephone numbers, birth dates, email addresses, and addresses. There was no financial data compromised, and just 115 Social Security numbers had been compromised.

Florida Medical Clinic stated it has proof of permanently deleting all stolen files, which implies the attacker received ransom payment. There was no proof found of patient data misuse. The healthcare provider sent notifications to all impacted patients and implemented extra cybersecurity measures to stop more attacks, which include changing selected system components and altering remote access practices.

The incident is not yet posted on the HHS’ Office for Civil Rights breach website. Hence, the number of affected patients is still uncertain.

The Bone & Joint Clinic based in Wisconsin

The Bone & Joint Clinic manages 7 clinics located in Wisconsin. It recently informed present and past workers and patients concerning a cyberattack that was discovered on January 16, 2023 and the resulting network disruption. As per the notification letters, unauthorized persons possibly viewed and obtained files that contain data for instance names, addresses, telephone numbers, dates of birth, Social Security numbers, medical insurance data, and diagnosis and treatment data.

Impacted persons received notification letters on March 7, 2023, and free credit monitoring and identity theft protection services for 12 months. The breach report has been submitted to the HHS’ Office for Civil Rights indicating that 105,094 individuals were affected.

NorthStar Emergency Medical Services

NorthStar Emergency Medical Services based in Tuscaloosa, AL recently announced a data breach that impacted around 82,450 patients. Based on the notification submitted to the Maine Attorney General, the provider discovered suspicious activity inside its computer system on September 16, 2022; nevertheless, it confirmed the exposure of patient data only on March 8, 2023. There is no mention in the breach notice about the time when the attackers initially acquired access to its system.

The impacted files included data like names, Social Security numbers, dates of birth, patient ID numbers, treatment data, Medicaid/Medicare numbers, and medical insurance data. NorthStar Emergency Medical Services sent notification letters to the affected persons on March 14, 2023. It also offered free credit monitoring and identity theft protection services to impacted persons and took steps to toughen security.

Denver Public Schools

Denver Public Schools has lately reported that unauthorized persons acquired access to some parts of its servers and extracted files that included sensitive employee information. The school discovered the data theft on January 4, 2023. The forensic investigation affirmed that unauthorized persons got access to its system from December 13, 2022 to January 13, 2023.

The document analysis showed that the impacted files contained names, fingerprints (if included in the file), pay card numbers/bank account numbers, Social Security numbers, driver’s license numbers, student ID numbers, passport numbers, and a number of health plan enrollment details. The breach report was submitted to the HHS’ Office for Civil Rights as including the PHI of 35,068 present and past contributors in its employer-financed health plan. The number of students affected by the data breach is uncertain. Denver Public Schools stated extra security measures were put in place to stop the same breaches later on. Denver Public Schools is providing credit monitoring and identity theft protection services to impacted persons.

Wichita Urology Group

Wichita Urology Group in Kansas has lately informed 1,493 persons about the unauthorized people who acquired access to its system and possibly accessed or acquired files that contain names, prescription data, billing data, and medical insurance details.

Suspicious activity was noticed inside its system on January 3, 2023. The forensic investigation confirmed that the attack happened on January 2. Then, on January 26, 2023, the forensic investigation confirmed the exposure of PHI; nevertheless, there was no observed patient data misuse. Technical safety procedures were improved to avoid more attacks.

 

PHI Breached in Four Recent Malware and Ransomware Attacks

Data of Teijin Automotive Technologies Welfare Plan Members Exposed in December Ransomware Attack

Teijin Automotive Technologies has lately reported potential access and theft of the protected health information (PHI) of 25,464 members of its welfare plan due to a ransomware attack on December 1, 2022. Teijin Automotive Technologies talked openly regarding the attack and what caused it. The attacker circumvented its security systems during a phishing attack. On November 30, because one employee clicked a link in a phishing email, the threat actor was able to steal login credentials, breach the firm’s servers, and install ransomware the next day. The company controlled the ransomware attack on December 5, 2022.

The IT team took prompt action to avoid any more unauthorized access. The FBI and law enforcement received notification immediately and provided help with the incident investigation. The analysis of the breached servers showed they included data associated with Teijin Automotive Technologies’ welfare plan i.e. names, addresses, dates of birth, Social Security numbers, medical insurance policy data, and banking details for a limited number of members. Teijin Automotive Technologies believes that no medical information was saved on the impacted servers.

The security and privacy of personal employee data and the business details of its clients is important to Teijin Automotive Technologies. CEO Chris Twining expressed regrets about the occurrence of the incident and apologized to its employees, clients, and impacted persons. The company has taken the following extra steps to reinforce its data security: improving its security processes, making an investment in new technology, and giving employees additional training. Teijin Automotive Technologies has notified the affected persons and offered credit monitoring services.

Malware Attack Reported by Arizona Health Advantage

Healthcare provider Arizona Health Advantage based in Chandler, AZ, also known as Arizona Priority Care and AZPC Clinics, LLC in the business community, recently reported the discovery of malware on its network. Because of the incident, some of the servers became inaccessible. Unauthorized persons were able to access and extract patient data as well as health plan member information.

The company discovered the security incident on December 5, 2022, because employees could not access files on a few of its servers. With the assistance of a third-party computer forensics firm, the investigation confirmed the breach with the attack happening between December 1 and December 2. The attackers exfiltrated files that included the information of patients and members of these health plans: Alignment Health Insurance Company of Arizona, Inc., Alignment Health Plan of Arizona, Inc., Blue Cross Blue Shield of Arizona, WellCare Health Plans of Arizona, Inc. (Centene), and Health Net of Arizona, Inc. (Centene).

The types of information affected differed from one person to another. They might have involved names, birth dates, addresses, treatment dates, treatment details, health plan member numbers, service authorization numbers, and other personal data. Impacted persons received notifications and offers of membership to a credit monitoring service for one year. Extra security measures and practices have already been carried out to secure against attacks later on. As per the HHS’ Office for Civil Rights, the PHI of 10,978 persons was possibly exposed.

Garrison Women’s Health Reports Patient Data Access Due to Malware

Garrison Women’s Health based in Dover, NH, a division of Wentworth-Douglass Hospital, has just reported the potential theft of the PHI of 4,158 patients in a cyberattack involving Global Network Systems, its business associate.

Global Network Systems, a company offering technology services, discovered the cyberattack on December 12, 2022. As a result, a network breakdown made its systems inaccessible. The investigation revealed that an unauthorized third party had accessed Global’s network for 8 months. It was initially accessed on April 29, 2022.

Garrison Women’s Health stated the attack destroyed files in its electronic health records. Global wasn’t able to recover that information, which it hosted. The corrupted information was associated with patients who got healthcare services from April 29, 2022 to December 12, 2022, and contained health and treatment details, coding, claims information, insurance details, payment data, doctor notes, and scheduling details.

Garrison Women’s Health stated it could not recover the corrupted information from backup copies, however, it was possible to regain access to the data stored in certain radiology and ultrasound apps. After looking into other possible backup sources, Garrison was able to bring back its electronic medical record system and restore information before April 28, 2022.

Although the incident report did not mention it was a ransomware attack, it got the distinctions. Garrison Women’s Health stated it doesn’t believe there was any patient data misuse, though impacted persons were instructed to keep an eye on their accounts and Explanation of Benefits statements for suspicious transactions.

Although there was confirmed data loss, Garrison Women’s Health explained that part of the lost data was probably copied and kept by a patient’s primary care doctor, hospital, or other companies, or may have been acquired by the health plan of the patient.

Riverside Health System Data Exposed Due to Malware Attack on Intelligent Business Solutions

Intelligent Business Solutions (IBS) has lately began issuing notifications to Riverside Health System’s cardio-thoracic patients to tell them that some of their personal data and PHI were potentially viewed or stolen. IBS detected a security breach on or around November 14, 2022 after identifying suspicious activity inside the IBS system. The forensic investigators determined the use of malware to encrypt files on selected servers and systems. The breach occurred between November 10, 2022 and November 15, 2022.

The analysis of the impacted files showed they included these data types: name, birth date, medical insurance data, medical treatment details, and procedure details. Although data was likely stolen, IBS did not receive of any report of actual or attempted improper use of the stolen data. IBS stated it had comprehensive guidelines, procedures, and cybersecurity defenses set up, however, it could not stop the attack. Those cybersecurity procedures are under review and will be revised, as needed, to minimize the probability of more attacks. Impacted persons received offers of free memberships to identity theft protection and credit monitoring services for two years.