Category: Cybersecurity Attacks

In March 2022, Partnership HealthPlan of California (PHC) reported that third-party forensic professionals were requested to help reestablish the operation of its IT network right after a cyberattack. PHC has already affirmed in a breach notification sent to the Maine Attorney General the potential theft of the protected health information (PHI) of 854,913 current and previous health plan members. This case is one of the biggest healthcare data breaches announced to date this year.

Based on the notification, the cyberattack was discovered on or approximately March 19, 2022. PHC took steps immediately to limit the breach and launched an investigation to find out the nature and magnitude of the cyber attack. PHC stated the forensic investigation found proof that the unauthorized party responsible for the cyberattack had taken files from the PHC network on or about March 19.

The assessment of the compromised files is in progress, and although it is not yet affirmed which particular types of protected health information were included in the impacted files, the health plan is starting to send notification letters to affected people. PHC mentioned the types of information possibly stolen may consist of names, email addresses, addresses, dates of birth, Tribal ID numbers, driver’s license numbers, Social Security numbers, medical record numbers, health insurance details, diagnoses, treatment, and prescription data, other clinical details, and member online account usernames and passwords.

Although PHC failed to express the nature of the cyberattack in its breach notification letter, the Hive ransomware gang has professed to be behind the attack and claims it stole approximately 400 GB of files, a portion of which was temporarily uploaded to the group’s data leak website. PHC stated it is going over and improving its policies and procedures associated with data protection and security, and extra security steps and safeguards will be put in place to protect against this sort of event later on. PHC is covering the price of access to credit monitoring services for victims for two years. Recently, a class-action legal case was filed on behalf of persons impacted by the breach.

Illinois Gastroenterology Group lately announced that unauthorized people acquired access to its computer environment and possibly accessed and exfiltrated sensitive patient data. The group detected the cyberattack on October 22, 2021 because of suspicious activity identified inside its computer network.

Third-party cybersecurity professionals were involved to look into the attack and figure out the nature and scope of the incident. On November 18, 2021, Illinois Gastroenterology discovered that the sections of its systems that the unauthorized individuals accessed contained patient data like names, addresses, birth dates, passport numbers, driver’s license numbers, Social Security numbers, financial account details, payment card data, employer-assigned identification numbers, medical details, and biometric information.

Illinois Gastroenterology stated it was not possible to rule out unauthorized viewing or theft of files that contain patient records, however, during the time of issuing notification letters, there was no report received that suggest any fake misuse of the breached information. The evaluation of the affected files was done on March 22, 2022, and notification letters were now mailed to impacted persons.

Due to the breach, policies and procedures associated with network safety were examined and improved, the implementation of a better managed Security Operations Center was accelerated, and multi-factor authentication was put in place. Although the security breach wasn’t confirmed as involving ransomware, Illinois Gastroenterology mentioned a new endpoint detection and response platform was deployed that has policies enabled particularly for ransomware.

The data breach report was recently submitted to the HHS’ Office for Civil Rights as having approximately 227,943 victims.

Data of Mental Health Center of Greater Manchester Patients Exposed

The Mental Health Center of Greater Manchester (MHCGM) based in New Hampshire made an announcement that patient information was likely exposed in a cyberattack at the Center for Life Management (CLM), a third-party community mental health services partner, which was used for storage of data.

On February 21, 2022, an unauthorized individual accessed CLM’s systems. CLM discovered the cyberattack on February 23, 2022, and immediately secured its systems to stop further unauthorized access. The breach only affected CLM’s systems and the security of MHCGM’s systems was not impacted.

CLM looked into the incident and it was affirmed on April 11, 2022 that the attackers possibly viewed and copied files comprising patient data including names, addresses, dates of birth, Social Security numbers, diagnoses, medical details, discharge data, and treatment locations and/or healthcare organizations.

There was no evidence found that indicates unauthorized individuals viewed or got any specific data as a result of the attack; nevertheless, affected persons were offered a year of complimentary credit monitoring. MHCGM stated it is not using CLM anymore for data storage and is getting rid of all information from CLM’s systems.

The HHS’ Office for Civil Rights breach website show 1,322 MHCGM patients were impacted.

Salusive Health, the creator of the myNurse platform which assists doctor practices to simplify disease management, has encountered a cyberattack whereby patient information was affected.

In the Salusive Health’s breach notification letters mailed to patients, it mentioned that it discovered unauthorized activity inside its computer system on March 7, 2022, and quickly enforced containment, mitigation, and restoration initiatives, and had third-party cybersecurity specialists to give assistance with those steps. The investigation established that unauthorized persons accessed the personal data and protected health information (PHI) of patients, including name, telephone number, gender, home address, email address, birth date, medical background, diagnosis and treatment data, dates of service, laboratory test findings, prescription details, medical account number, name of provider, group plan provider, health insurance policy and group plan number, and claim data.

Salusive Health stated it enforced more security steps to stop more breaches, has informed impacted persons and provided complimentary identity theft protection services, and sent a report regarding the cyberattack to the FBI. The incident is not yet published on the HHS’ Office for Civil Rights’ breach site, therefore it is uncertain at this period how many people were affected.

Salusive Health additionally revealed in the breach notification letters that the hard decision was considered to stop clinical operations on May 31, 2022, which will permit patients to pass their chronic care management and remote tracking services back to their primary care doctors. Salusive Health mentioned the choice to end operations is not related to the data security incident.

24,000 Patients Impacted by New Creation Counseling Center Ransomware Attack

New Creation Counseling Center (NCCC) located in Tipp City, OH, has lately begun informing 24,029 patients that some of their PHI were possibly exposed in a recent cyberattack.

NCCC detected a compromise of its IT networks on February 13, 2022 because its users are unable to access files on the network. The center promptly had taken steps to stop more unauthorized access and began an investigation to find out the nature and magnitude of the breach. NCCC affirmed the use of ransomware to encrypt data files and helped third-party cybersecurity specialists with the response and recovery.

NCCC stated that it continued to give health care to patients all the way through and that the ransomware has been removed from its programs. Although the investigation didn’t uncover any proof of information theft, it wasn’t possible to ignore it. An assessment of files on the impacted systems affirmed they included names, telephone numbers, addresses, email addresses, dates of birth, Social Security numbers, medical insurance details, intake forms, clinical releases, and treatment information.

Breach notifications had been mailed to impacted people starting on April 12, 2022, and 12 months of credit monitoring services were provided to patients without cost.

The American Dental Association (ADA) encountered a cyberattack and had to take a lot of its systems offline. The ADA website is presently accessible right now and states that the ADA is suffering from technical problems and that it is being worked on to get its systems working well. Although the website doesn’t present any other facts on the reason behind the technical issues, emails were given to ADA members telling them about the cyberattack.

The letters state that portions of its network were taken off the internet and that ADA email, Aptify, the telephone system, and web chat were all affected. Lots of its online services are inaccessible at the moment; nevertheless, information about the attack was not given at this time.

The ADA mentioned it has reported the cyberattack to authorities and it is checking out the nature and magnitude of the attack and is being helped by third-party cybersecurity experts. The investigation hasn’t found any information on data theft at this period and the level to which its members, dental practices, and other dental establishments were impacted is unknown. Various state dental associations have likewise noted on their websites that technical problems are being suffered, which include the New York and Florida Dental Associations.

Though some information was made public concerning the specific nature of the attack, it has the characteristics of a ransomware attack. As per Bleeping Computer, Black Basta, a new ransomware operation, has stated it is responsible for the cyberattack and has posted some of the stolen information on its data leak webpage. Black Basta states the leaked files is approximately 30% of what was stolen from the ADA and comprise employee details, financial data, and other sensitive records.

Black Basta is a new ransomware group that commenced doing attacks mid-April 2022, with the earliest acknowledged victim being Deutsche Windtechnik, the German wind farm owner. The ransomware encrypts data information utilizing AES+RSA algorithms and adds the .basta extension to encrypted data files. The group says in its ransomware notes that information was stolen and will be publicized on its TOR web page in case the ransom is not paid. The desktop on victim devices is substituted with a graphic with the note, “your network is encrypted by Black Basta group.” A readme.txt file is added on the desktop with details for getting backfiles.

A new Comcast Business report shows that 2021 had 9.84 million Distributed Denial of Service (DDoS) attacks reported, which increased by 14% from 2019, albeit somewhat lower than the prior year with 10.1 million attacks.

The minor decline in attacks was because of a few factors. 2020 was a remarkably awful year because it was a complete lockdown year. Employees were working remotely and students were learning from home. Attackers had a distinctive setting that allowed the launch of an unparalleled number of DDoS attacks. The high costs of cryptocurrencies in 2021 meant that numerous threat actors diverted their botnets from performing DDoS attacks to mining cryptocurrencies.

In 2021, 73% of DDoS attacks were carried out on just four industries – government, healthcare, education, and finance. Attackers followed seasonal trends and activities all through the year, with education getting attacked in accordance with the school year, and COVID-19 and vaccine availability encouraged DDoS attacks on the healthcare sector.

Multi-vector attacks rose by 47% in 2021. Comcast Business DDoS Mitigation Services secured clients against 24,845 multi-vector attacks directed at layers 3, 4, & 7 (Network, Transport & Application) at the same time. 69% of Comcast Business users were impacted by DDoS attacks in 2021, increasing by 41% from 2020, and 55% of Comcast Business customers encountered multi-vector attacks aimed at layers, 3, 4, & 7 concurrently. There was additionally a big increase in the number of vectors utilized in multi-vector attacks, growing from 5 in 2020 up to 15 in 2021, with the amplification methods in the attacks escalating from 3 to 9.

DDoS attacks send traffic to victims’ networks to render them unusable, and although attacks are usually performed only for that reason, it is typical for DDoS attacks to be done to distract companies and use resources while the attackers do other nefarious activities. There exists a good link between DDoS attacks and security breaches. Based on a Neustar survey, about half of businesses (47%) that encountered a DDoS attack found a virus within their networks following the attack, 44% stated malware was triggered, 33% claimed a network breach, 32% claimed customer information theft, 15% experienced a ransomware attack, and 11% were affected by financial theft.

The most serious attack that happened in 2021 was a 242 Gbps DDoS attack, which is sufficient to saturate even high bandwidth Ethernet Dedicated Internet (EDI) circuits in just minutes. The extent of attacks has expanded and development has been determined to be where threat actors carry out low-volume attacks to remain under the radar of IT teams and prompt damage on several levels. This strategy can break down website performance, yet the attacks are frequently not noticed by IT groups, who just find out they were targeted when they commence receiving complaints from clients.

DDoS attacks are not costly to execute, costing only a few dollars, though for a couple of hundred dollars massive attacks may be performed that can cripple companies. DDoS attacks could be unbelievably expensive for organizations. The attacks could prevent businesses from reaching their customers and meeting SLAs, and the attacks may lead to damaging financial and reputational harm. In certain instances, the damage is very severe that companies were pressured to permanently close. For organizations that rely on accessibility, every single minute of downtime can result in losses even up to millions of dollars.

Cyberattack on SuperCare Health Affects 318,000 Patients

SuperCare Health based in Downey, CA, a healthcare provider of post-acute, in-home respiratory care services in the Western United States, has lately begun notifying 318,379 patients concerning the exposure and potential access by unauthorized persons to some of their protected health information (PHI) as a result of a cyberattack that happened in July 2021.

SuperCare Health explained in its March 25, 2022 breach notification letters that it discovered unauthorized activity inside its IT systems on July 27, 2021. It immediately took action to secure its network and stop continuing unauthorized access. Independent cybersecurity specialists investigated the nature and scope of the attack.

The investigation established that unauthorized people got access to sections of its network between July 23, 2021 and July 27, 2021. It was possible that the attackers accessed files on the system that contained the PHI of patients. A thorough review of the contents of the files was performed, which confirmed on February 4, 2022, that they included sensitive patient data like names, addresses, birth dates, hospital/medical group, medical record numbers, patient account numbers, health insurance details, testing/diagnostic/treatment data, other health-related details, and claims data. A part of individuals likewise had their driver’s license numbers and/or Social Security numbers exposed.

SuperCare Health stated that because of the security breach, it reviewed its security procedures and implemented extra security steps to better protect the personal data and PHI of its patients.

SuperCare Health is giving affected persons a no-cost membership to an identity theft protection service, in addition to credit checking, dark web tracking, and an identity theft reimbursement insurance plan.

Englewood Health Warns 3,900 Patients Regarding PHI Exposure

Englewood Health, an acute care 289-bed teaching hospital located in Englewood, NJ, has just reported a security breach that involved the PHI of 3,901 individuals. On February 14, 2022, Englewood Health discovered that the username and password of staff were compromised, which allowed an unauthorized individual to gain access to patient names, dates of birth, and limited medical information. Englewood Health mentioned the unauthorized actor acquired access to patient information in under 40 minutes before the identification and blocking of intrusion.

Because of the breach, Englewood Health has improved its administrative, physical, and technical network controls. Patients were already informed by mail and although only a limited amount of data was compromised, complimentary credit monitoring services were provided to impacted patients.

85,282 Law Enforcement Health Benefits Members Impacted by Ransomware Attack

Law Enforcement Health Benefits, Inc. (LEHB) has lately stated that it suffered a ransomware attack that was identified on September 14, 2021. External cybersecurity experts were hired to support the investigation and remediation initiatives, and a manual evaluation of files on the attacked areas of the network was carried out. That process ended on February 25, 2022, when it was affirmed that files that contain the personal data and protected health information (PHI) of plan members were stolen from its system.

LEHB stated the following types of information were compromised: names, Social Security numbers, dates of birth, financial account numbers, driver’s license numbers, health insurance data, diagnosis/treatment details, patient account numbers, and medical record numbers.

Although it was proven that files were copied from its systems, LEHB mentioned it is unaware of any actual or attempted misuse of members’ data. Notification letters were mailed to people with known current addresses, and complimentary credit monitoring services were provided to them whose Social Security numbers were possibly exposed. LEHB claimed it has taken the necessary steps to protect its network and enhance internal procedures to permit the quick detection and remediation of future threats.

LEHB submitted the breach report to the HHS’ Office for Civil Rights indicating that 85,282 individuals were affected.

Oklahoma City Indian Clinic Cyberattack Investigated

Oklahoma City Indian Clinic (OKCIC), a 501(c)(3) non-profit group that provides healthcare services to approximately 20,000 patients from 200 Native American tribes located in Oklahoma, just reported on its website and social media accounts that it is currently experiencing technological issues and network disruption that blocked access to some computer systems. The attack appears to have happened on or about March 10, 2022 and has impacted the pharmacy’s automated refill line and mail order services.

The OKCIC IT team and third-party professionals are investigating the incident at this time and are striving to re-establish access to the problematic systems. There was no mention of the nature of the problem, however, it looks like a ransomware attack. The Suncrypt ransomware gang has said that it is responsible for the cyberattack and has put Oklahoma City Indian Clinic on its data leak site. As reported by Databreaches.net, Suncrypt states it has stolen over 350 GB of information prior to file encryption. The stolen information included patients’ financial records and electronic medical records.

Suncrypt threatened Oklahoma City Indian Clinic that the data will be leaked if there was no negotiation or ransom demand payment. Oklahoma City Indian Clinic reported the investigation into the attack is in progress and at this phase of the investigation, no proof of data theft was discovered.

Chelan Douglas Health District based in East Wenatchee, WA, has announced that it encountered a cyberattack in July 2021 in which the personal data and protected health information (PHI) of patients was exfiltrated from its systems. The breach notice posted on Chelan Douglas Health District web page does not state when the breach was identified, but a third-party cybersecurity agency investigated the cyberattack and affirmed that unauthorized individuals accessed its network from July 2 to July 4, 2021. A representative for the health district stated this was not a ransomware attack.

The evaluation of the files that were exfiltrated from its systems was done on February 12, 2022, and established the theft of these types of patient information: Names, birth dates, dates of death, Social Security numbers, financial account data, treatment details, diagnosis data, medical record/ patient numbers, and health insurance policy details.

Issuance of notification letters to affected individuals started on March 15, 2022. Those who had their Social Security numbers compromised were provided complimentary credit monitoring services. Chelan Douglas Health District mentioned it did not know of any reports of identity fraud or misuse of patient information. Steps were already undertaken to strengthen the security of its systems to avoid further data breaches in the future.

The breach is not yet published on the HHS’ Office for Civil Rights portal, therefore it is currently uncertain exactly how many people were impacted. There were several reports in the press that indicate the PHI of around 109,000 persons had been stolen in the cyberattack.

Liberty of Oklahoma Corporation Reports BEC Attack

Oklahoma’s Department of Human Services and Liberty of Oklahoma Corporation (LOC) reported a business email compromise attack that happened in early December 2021 potentially resulted in access to patient information.

On December 7, 2022, a worker in the Oklahoma Waitlist program got an email from a spoofed email account that made an attempt to redirect payments that were due to LOC. The scam was discovered and so there were no fraudulent payments made, however, the investigation into the incident revealed the email account of a LOC worker had been exposed.

The email account was quickly disabled, and an assessment was performed to identify the types of records that were potentially accessed or stolen. The review established the exposure of names, Social Security numbers, addresses, dates of birth, phone numbers, Oklahoma client Numbers, and the contact data of representing persons.

LOC submitted the breach report to the HHS’ Office for Civil Rights indicating that 5,746 persons were impacted.

Security Breach at East Tennessee Children’s Hospital

East Tennessee Children’s Hospital is now investigating a security breach that happened on March 13, 2022, and resulted in disruption to its IT systems. A hospital spokesperson stated the incident didn’t affect the operations of the hospital to give care to patients and its internal teams and external agencies are working hard to reduce the interruption triggered by the incident.

A forensic investigation was started to figure out the nature and magnitude of the security incident, nevertheless, at this period of the investigation, it is not known whether any patient data was viewed or stolen.

Norwood Clinic

The multi-specialty clinic based in Birmingham, AL, Norwood Clinic, just began sending notifications to 228,103 persons concerning the access to some of their protected health information (PHI) during a cyberattack, which was discovered on October 22, 2021. Upon discovery of the breach, Norwood Clinic secured its systems immediately and third-party security professionals investigated the incident to find out the nature and extent of the breach.

The investigation affirmed that an unauthorized person acquired access to a server that contained patient data including names, contact details, birth dates, driver’s license numbers, Social Security numbers, some health data, and/or medical insurance policy numbers. Although unauthorized data access was certain, it was impossible to know which particular data was accessed, or if any patient data was obtained during the attack.

Norwood Clinic stated a free one-year membership to credit monitoring, dark web monitoring, and identity theft protection services were provided to impacted persons. Steps were undertaken to enhance cybersecurity, which includes changing email configurations and policies, updating and enhancing system security technical hardware, putting more password difficulty rules, and using a lot more safe login processes.

Central Indiana Orthopedics

External counsel for Central Indiana Orthopedics (CIO) lately advised the Maine Attorney General and issued breach notification letters to 83,705 persons impacted by a cyberattack that was discovered on October 16, 2021. Although notification letters were overdue, the breach was reported on the CIO web page immediately after it was discovered in October 2021.

After the uncovering of suspicious system activity, CIO had a third-party cybersecurity agency investigate the incident and help keep its IT systems secure. The investigation affirmed that files comprising PHI were accessed by an unauthorized person and were possibly stolen during the attack. The possibly exposed data involved names, addresses, limited health data, and Social Security numbers.

CIO stated free identity theft protection services are provided to impacted persons, which consist of dark web monitoring and an identity theft insurance policy worth $1 million. Databreaches.net has earlier reported about the incident and stated a threat group called Grief stated it was responsible for the incident and had published some of the stolen information on the group’s data leak website.

Alliance Physical Therapy Group

Alliance Physical Therapy Group in Grand Rapids (APTG), MI, stated it found out that unauthorized persons had obtained access to selected systems inside its network on December 27, 2021. Third-party cybersecurity company APTG confirmed on January 7, 2022 that files made up of the PHI of 14,970 patients might have been exfiltrated from its system from December 23, 2021 to December 28, 2021.

An analysis of those files affirmed that they comprised patient names, birth dates, driver’s license numbers, Social Security numbers, health data, and health insurance data.

APTG stated it is going over its cybersecurity guidelines and procedures and will impose extra measures and safety steps to avert more cyberattacks. APTG did not find any evidence of misuse of patient information however it provided the impacted persons with one year of free credit monitoring and identity restoration services. Breach notification letters had been mailed on January 28, 2022.

The healthcare sector has been substantially attacked by ransomware groups and victims frequently view giving ransom payment as the best choice to make sure a fast recovery, however, the payment doesn’t always end the extortion. Numerous victims have given ransom payments to get the decryption keys or to stop the publishing of stolen files. But the ransomware actors still continued with the extortion.

The Federal Bureau of Investigation (FBI) advocates never paying a ransom right after a ransomware attack because doing so gives the threat actors more money for their attacks, it motivates other threat groups to be involved in ransomware, and since there is no assurance that paying a ransom will result in data recovery or avert the misuse of stolen information.

A new survey carried out by the cybersecurity company Venafi helped to measure the degree to which more extortion happens. The survey has given a number of crucial data about what occurs if victims pay or don’t pay the required ransom. The survey was done on 1,506 IT security officials from the United Kingdom, United States, Benelux, Germany, France, and Australia and investigated the quickly growing threat of ransomware attacks.

Venafi stated ransomware attacks went up by 93% in the first 6 months of 2021 and by year-end ransomware attacks were being done worldwide at a rate of one per 11 seconds. 67% of organizations having 500 and up workers mentioned they had encountered a ransomware attack in the last 12 months, and 83% of ransomware attacks involved double or triple extortion strategies, where sensitive data files are stolen and money is demanded to decrypt files, avert the publishing of data, and stop attacks on consumers and suppliers.

Based on the survey, 38% of attacks concerned threats to extort victims’ clients using stolen information, 35% had threats to disclose stolen information on the dark web, and 32% had threats to notify customers that their records were stolen.

16% of clients who failed to pay the ransom demand had their details published on the dark web. 35% of victims stated they paid the ransom yet still didn’t recover their information, and 18% of victims mentioned they settled the ransom to avert the publicity of stolen information, yet the data was still posted on the dark web. 8% reported they did not pay the ransom after which the attackers tried to extort their customers.

A lot of ransomware gangs today use the ransomware-as-a-service (RaaS) model. Affiliates are employed to carry out attacks for a percentage of any ransoms they make. Whilst the RaaS operators usually give playbooks and provide guidelines for performing attacks, there is minor enforcement of compliance. Ransomware groups usually operate for brief periods and attempt to extort as much cash as possible from victims prior to ending their operations and rebranding and beginning again. There were likewise instances of ransomware gangs giving stolen information and access to systems to other cybercriminal groups irrespective of if the ransom is given, showing quite plainly that ransomware gangs are not to be trusted. A number of ransomware gangs have gotten negotiations with victims from their affiliates and have removed the affiliates and didn’t issue payment, demonstrating there is likewise no dignity among thieves.

Businesses are not ready to protect against ransomware that exfiltrates information, and therefore they give the ransom payment, nevertheless this only drives attackers to want more. The awful news is that attackers are continuing with extortion threats, despite paying the ransom.

Chicago’s South Shore Hospital has begun informing 115,670 present and past patients regarding a cyberattack on its system in December 2021. The hospital detected suspicious activity on its system on December 10, 2021, and took immediate action to control the attack. Emergency procedures were enforced to make sure patients can still be safely provided with care.

South Shore Hospital called a group of third-party computer forensics specialists to look into the security breach and find out if patient data was viewed or stolen. As per the investigation, it was confirmed that the attackers acquired access to sections of its system that store files containing the protected health information (PHI) of patients and worker information, such as names, addresses, birth dates, Social Security numbers, medical insurance data, medical details, diagnoses, medical insurance policy numbers, Medicaid/Medicare data, and financial details.

South Shore Hospital stated it is going to implement extra security steps to better secure its system against cyberattacks, such as stronger password guidelines, multifactor authentication, and supplemental anti-malware and anti-phishing software. The workforce will also be provided with additional training about data privacy and security.

South Shore Hospital has given the impacted individuals instructions as to how they could secure themselves versus the improper use of their data, which includes registering for a one-year free membership to the credit and CyberScan monitoring service of IDX. Impacted persons will likewise be covered with a $1 million identity theft reimbursement insurance plan and will get access to identity theft recovery services when they are required.

Hacking Incident Reported by Spencer Gifts Health and Welfare Benefit Plan

Spencer Gifts has learned that unauthorized persons obtained access to its system from November 24, 2021 to November 26, 2021, and possibly viewed or acquired files that contain the PHI of 10,023 health and welfare benefits plan members.

The hacking incident was discovered on November 25, 2021, and its system was made secure the next day. The investigation affirmed the exposure of names, plan selection data, and Social Security numbers. Notification letters were mailed to all impacted persons on January 24, 2022, and free identity theft monitoring services were provided to impacted persons. Spencer Gifts stated it is going over its security guidelines and procedures and will enforce additional electronic security features.

Ransomware Attack on Vendor Affected Allegheny Health Network Home Infusion Patients

Allegheny Health Network Home Infusion based in Pittsburgh, PA was informed regarding a ransomware attack on Vantage Healthcare Network, Inc., one of its vendors

On October 17, 2021, Vantage noticed suspicious activity inside its network and employed a third-party cybersecurity company to look into the security breach. AHN Home Infusion received advice on November 22, 2021, that the ransomware gang got access to systems containing patient data. The attackers exfiltrated some content prior to encryption.

AHN Home Infusion performed its own investigation together with Vantage to find out which patients were affected, and the types of information that was exposed. The following types of data had likely been accessed or exfiltrated in the data breach:

Names, billing data, prescription medications, nurse’s notes, patient referral details, treatment and therapy notes, scheduling data, medical device orders, and some Social Security numbers.

AHN Home Infusion stated the investigation into the incident and the document assessment is in progress. To date, there are no hints that any patient data has been or will be inappropriately used.

Vantage has reported that it has retrieved all files encrypted during the attack. Those who had their Social Security numbers compromised will be provided complimentary credit monitoring services. The provider has submitted the breach report to the HHS’ Office for Civil Rights indicating that 7,500 individuals were impacted.

Hacker Acquired Access to Jefferson Health Insurance Portal

Jefferson Health in Philadelphia, PA has found out that unauthorized persons acquired access to an online health insurance website that was employed to submit billing details for payment. The breach occurred on November 18, 2021, and the threat actor attempted to reroute wire payments meant for Jefferson Health.

On November 22, 2021, the insurance company found out the attacker got a remittance record that included the billing details of 3,475 patients of Abington Memorial Hospital, and 5,239 Thomas Jefferson University Hospital patients. The remittance document contained names, month and year of birth, service date(s), treatment codes, and treatment fees. There was no compromise of Social Security numbers, medical insurance data, financial account data, or other treatment details.

Jefferson Health has distributed breach notification letters to affected people and explained it is assessing and improving its security practices.

Maryland Chief Information Security Officer (CISO) Chip Stewart has released a report confirming the disruption to Maryland Department of Health (MDH) services due to a ransomware attack.

A security breach was discovered on the morning of December 4, 2021, and quick action was done to isolate the affected server and control the cyberattack. Stewart stated the Department of Information Technology was able to separate and contain the affected systems in just a couple of hours, restricting the severity of the ransomware attack. Due to this quick response, evidence of the unauthorized access to or acquisition of State data has not been identified yet to this stage in the ongoing investigation as stated by Stewart in a January 12, 2022 statement.

As per Stewart, there was a distributed-denial-of-service (DDoS) attack attempt immediately after the ransomware attack; nevertheless, that attack did not succeed. Proof collected in the course of investigating the ransomware and DDoS attacks shows they were performed by different threat actors.

Stewart stated he sent the incident report to the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), initialized the state’s cybersecurity insurance policy through the State Treasurer’s Office, and called in third-party forensic experts to help in the investigation and response and recovery work.

The response to the ransomware attack required for systems to be taken off the web, sites on the network was isolated from each other, and external access to resources over the web and by third parties was discontinued. The containment strategy restricted the ability of state workers to utilize computers and access shared sources and about a month after the ransomware attack a few services continue to get an interruption. Although the response and recovery tactic has resulted in continuing disruption, Stewart mentioned this solution was required to safeguard the state’s system and the residents of the state of Maryland and was crucial to avoid reinfection.

Atif Chaudhry, MDH Deputy Secretary for Operations, mentioned a serious emphasis after the attack was to make sure of business and service continuity, which concerned employing the FEMA Incident Command System (ICS). In this ICS system, a Unified Command Structure is formed to deal with the incident. This allows MDH and DoIT to work together to handle and address all incident-related issues. DoIT gives the technical support and is leading the network safety and IT system recovery initiatives.

MDH experienced a scarcity of equipment following the attack, which meant personnel had to share computers at the workplace. To handle the situation, Chaudhry reported MDH purchased 2,400 laptop computers and another 3,000 will be bought this week. More IT equipment like wireless access points and printers were also purchased to make certain workers have the equipment needed to perform their work. Additionally, substitute processes were carried out to make certain staff can offer the most important demands of the public, which include moving to Google Workspaces. Google Workspaces has offered workers a selection of online tools that are not affected by the ransomware attack making sure that personnel can team up and save and share important information.

The attack has brought about interruption to the state’s pandemic response. On January 12, 2022, MDH reported it had recovered about 95% of state-level surveillance information and it is working to reestablish all the COVID-19 datasets. Reports are going to be updated as soon as possible.

Millennium Eye Care Says Ransomware Gang Stole a Big Amount of Patient Data

A provider of ophthalmology services based in Freehold, NJ, Millennium Eye Care, announced on December 22, 2021, that hackers recently acquired access to its computer network and employed ransomware to encrypt files trying to extort money from the practice.

The breach notification letters did not mention when the attack happened, however, Millennium Eye Care stated that on November 14, 2021, it found out about the exfiltration of a large amount of data prior to encrypting files. The files obtained at the time of the attack consisted of a variety of protected health information (PHI) such as names and Social Security numbers.

Millennium Eye Care mentioned it has improved network security procedures to minimize the threat of further attacks and has offered extra cybersecurity training to the employees to help them to detect external attacks.

Affected people were informed by mail and were provided with information on the actions they can take to safeguard against identity theft and fraud. Identity theft protection services are being given at no cost and affected patients will likewise be covered by a $1,000,000 identity theft repayment policy.

The breach has been reported to authorities nevertheless has not yet shown up on the HHS’ Office for Civil Rights breach portal therefore it is currently not clear how many individuals were impacted.

Duneland School Corporation Cyberattack Reported

Duneland School Corporation based in Indiana has advised the HHS’ Office for Civil Rights concerning a recent cyberattack by which the protected health information of 7,000 persons was possibly affected.

The cyberattack was identified on October 27, 2021, and particular systems inside its computer system became unavailable. A third-party cybersecurity company investigated the incident and determined the nature and magnitude of the attack. The investigation confirmed that unauthorized people got access to areas of its network between October 21 and October 27, and those systems included the personal information of workers and information associated with its self-insured health plan, for instance, names, dates of birth, driver’s license numbers, Social Security numbers, and benefits details.

Duneland School Corporation states it has enforced more safeguards and technical security steps to avoid any more cyberattacks. Identity monitoring services are made available to present and former staff members, beneficiaries, and dependents, whose data were exposed.

The start of the year had a major breach report from Broward Health based in Florida, which has recently begun alerting more than 1.3 million patients and workers regarding a data breach that happened on October 15, 2021. A hacker acquired access to the Broward Health network through a third-party medical provider’s office that was granted access to the Broward Health system for offering healthcare services.

Broward Health identified and blocked the intrusion on October 19, 2021, and performed a password reset for all staff members to stop further unauthorized access. With the help of a third-party cybersecurity agency, Broward Health carried out a detailed investigation to know the nature and magnitude of the breach.

The investigation affirmed that the attacker got access to areas of the network where worker and patient records were kept, such as sensitive data: names, addresses, email addresses, dates of birth, phone numbers, financial/bank account data, health insurance details, medical histories, medical ailments, treatment, and diagnosis data, medical record numbers, Social Security numbers, and driver’s license numbers. Broward Health stated some information was exfiltrated from its systems.

The cyberattack report was submitted to the Department of Justice which asked Broward Health to hold off mailing breach notification letters to affected people so as not to hinder the law enforcement investigation.

Broward Health took steps to enhance security and avoid similar incidents later on, which consist of employing multifactor authentication for all users of its systems and placing minimum-security specifications for all devices not handled by Broward Health’s information technology department with access to its network. Those security prerequisites will be in effect this January.

Broward Health hasn’t received any reports that suggest patient or staff information was misused, however as a safety measure against identity theft and fraud, impacted persons were given a complimentary 2-year membership to the Experian IdentityWorksSM service, including identity theft protection, detection, and resolution services.

There is no record of the incident yet on the HHS’ Office for Civil Rights breach portal, but the Maine Attorney General has the incident reported as potentially having an effect on 1,357,879 patients.

Planned Parenthood has lately reported it had encountered a ransomware attack last October which impacted its branch in Los Angeles.

As per the report, a ransomware group obtained access to the system from October 9, 2021 to October 17, 2021, and used ransomware for encrypting files. The attacker issued a ransom demand in exchange for the keys for decrypting files. Before ransomware deployment, the attackers exfiltrated selected files from the systems, which were used as leverage to pressure Planned Parenthood to give ransom payments. It is presently uncertain whether the ransom had been paid, however, during the time of writing, there were no stolen files published on the ransomware group’s data leak website.

Planned Parenthood Los Angeles detected the ransomware attack on October 17, 2021, and took steps immediately to protect its system and look into the security breach. Upon confirmation that files were stolen, the entity conducted a review to find out the types of data that were affected. It was confirmed on November 4, 2021 that a number of the stolen files included patient data.

The types of data included in the compromised files were different from one patient to another. The following may have been affected: names, addresses, birth dates, diagnosis, medical insurance data, and medical details, such as specifics of the procedures that were done and any prescription medications given. Planned Parenthood has reported the cyberattack to law enforcement and the security breach investigation is still ongoing.

A Planned Parenthood Los Angeles spokesperson stated about 400,000 patients were potentially impacted and will get notification letters by mail with instructions on how to avoid data misuse. Planned Parenthood mentioned there are no reports of misuse of any stolen patient data thus far.

Planned Parenthood has undertaken steps to enhance its current security procedures to avoid more cyberattacks, which include improving monitoring of its system and employing more staff members to strengthen its cybersecurity group.

The type of information exfiltrated from the victims of Planned Parenthood is very dangerous in the possession of criminals. Bad actors can use PII such as addresses and birth dates, along with clinical data, for fraudulent medical scams as well as bogus insurance claims, according to Paul Laudanski, email security company Tessian’s head of threat intelligence.

This cyberattack is not the first for Planned Parenthood. In 2020, patient data had been stolen during a hacking incident on its Metropolitan Washington branch. In 2015, hacktivists also breached its systems and acquired the names and addresses of many patients.

A DNA testing firm based in Ohio has lately announced a hacking incident that compromised the sensitive information of 2,102,436 people. DNA Diagnostics Center (DDC) stated it discovered suspicious network activity on August 6, 2021, and affirmed that unauthorized persons accessed and obtained data files from an archived data storage from May 24, 2021 to July 28, 2021.

Based on the data breach investigation, the attackers exfiltrated files that contained complete names, financial account numbers, debit/credit card numbers and CVV codes, platform account passwords, and Social Security numbers. The firm stated genetic testing information was kept on another system not accessible to the hackers. No information connected to its current operations had been exfiltrated during the cyberattack.

The database included backups created from 2004 to 2012 that were connected with a national genetic testing firm that DDC obtained in 2012. DDC stated that the legacy system accessed by the hackers was never utilized in DDC’s operations and it has been non-active way back in 2012. DDC didn’t share the identity of the genetic testing firm that gathered the information. It is probable that the people impacted by the data breach are not aware that DDC was keeping their personal data.

DDC explained files were copied from its systems and it is collaborating with third-party cybersecurity specialists to get back the stolen information and ensure the attackers don’t make any more disclosures. There is no ransomware involved in the attack, but it would seem that the attackers want some payment to delete the information.

DDC mentioned it is not aware of any actual or attempted patient data misuse, however, as a preventative measure against identity theft and fraud, it is offering affected persons one-year credit monitoring and identity theft protection service via Experian.

Breach notification letters were mailed to affected persons according to state regulations. DDC affirmed that the incident is not a reportable breach as per the Health Insurance Portability and Accountability Act (HIPAA).

Nationwide Laboratory Services based in Boca Raton, FL, which Quest Diagnostics acquired last summer, had encountered a ransomware attack at the beginning of 2021.

Nationwide Laboratory Services discovered a systems breach on May 19, 2021. Ransomware encrypted files all through its system and prevented the access of files. Steps were promptly taken to control the ransomware attack. A third-party cybersecurity company helped with the investigation of the incident and remediation work.

The forensic investigation affirmed on August 31, 2021, that the attackers acquired access to parts of its system that stored patients’ protected health information (PHI), and possibly accessed data including names, birth dates, laboratory test results, Medicare numbers, medical record numbers, and medical insurance data. The Social Security numbers of some persons impacted were exposed. The types of data exposed in the attack differed from one patient to another.

Nationwide Laboratory Services submitted the breach report to the Department of Health and Human Services’ Office for Civil Rights indicating that the PHI of approximately 33,437 people was likely exposed.

Nationwide Laboratory Services stated it’s likely that the hackers exfiltrated a minimal quantity of files from its system before using the ransomware to encrypt files; however, there is no proof uncovered to suggest that patient information was or will be utilized for any unauthorized uses. As a safety measure, impacted people are being urged to examine their accounts and explanation of benefits statements for indications of fraudulent transactions.

Nationwide Laboratory Services provided a year of free credit monitoring services to people who had their Social Security numbers located on the impacted systems.

The FBI lately gave a private industry alert regarding ransomware actors attacking companies that are engaged in big financial events like mergers and acquisitions and are utilizing exfiltrated information to exploit and extort cash from victims. There were a number of instances where the hackers have issued threats to publish sensitive and possibly harmful data to negatively impact stock prices to compel the victims to pay the ransom.

A critical access hospital in Hallettsville, TX, Lavaca Medical Center, has started sending notifications to 48,705 patients regarding a security breach by which their protected health information (PHI) was exposed.

Lavaca Medical Center stated it discovered strange activity in its computer network on August 22, 2021, suggesting a possible cyberattack. The healthcare provider took immediate steps to protect its system and engaged a third-party computer forensics company to assist with the investigation. The forensic investigators affirmed unauthorized people got access to the network between August 17 and August 21.

Although there was no proof of data theft uncovered, the chance that patient information was viewed or exfiltrated couldn’t be ruled out. Breached systems contained information such as names, dates of birth, Social Security numbers, patient account numbers, and medical record numbers. The hackers were not able to access the electronic medical record system.

According to Lavaca Medical Center, it has no reason to believe any patient information was taken from its systems or misused; nevertheless, the HIPAA Breach Notification Rule requires the sending of notification letters to affected persons. As a preventative measure, impacted people were provided credit monitoring and identity theft protection services at no cost.

Network tracking tools were already improved and its systems will be routinely checked for unauthorized activity.

Malware Infection Discovered by Throckmorten County Memorial Hospital

Texas-based Throckmorten County Memorial Hospital has uncovered that unauthorized persons acquired access to sections of its computer system that held the personal records of 3,136 workers and patients.

An attack was discovered on September 7, 2021. There was an unauthorized access to systems and the installation of malware. According to the forensic team, its network was compromised on August 25, 2021, and systems access remained possible until September 7.

An audit of the impacted systems established they included patient data like first and last name, date of birth, address, gender, date(s) of service, diagnoses, current procedural terminology code, ailment, medicine, and particulars of hospital consultations. Worker data possibly compromised included name, salary history, Social Security number, payroll data, and filing details.

Throckmorten County Memorial Hospital mentioned affected people have been given a complimentary credit monitoring service membership and will be covered by identity theft and fraud insurance plan. Notifications concerning the security breach were overdue to give time for the removal of malware and improvement of security, as offering earlier notifications would make its system prone to other threat actors.

Ransomware is presently the major cyber threat confronted by the healthcare sector. Attacks usually sabotage healthcare IT programs for many weeks or months making medical records inaccessible. One Ponemon Institute/Censinet research reveals that attacks cause treatment slow downs, even more complications, poorer patient results, and a rise in mortality rates.

A number of ransomware groups have publicly expressed they will cease to target the healthcare sector, however that is not the case with FIN12. Based on a newly published review by Mandiant, 20% of the attacks performed by the ransomware group were on the healthcare sector.

FIN12 is a high profile ransomware group that attacks big game targets. Nearly all the FIN12 victims earn over $300 million revenues per year, with a $6 billion average more or less. Since 2018, FIN12 is active and mostly attacked North America. Though the group has lately extended geographically and also attacks the Asia Pacific and Europe, the most often targeted sectors are healthcare, financial, education, technology, and manufacturing.

Mandiant states that FIN12 is the most productive ransomware actor it monitors. It is behind approximately 20% of all ransomware attacks the agency responds to, so it is the most often active ransomware deployment actor.

It is not clear why FIN12 attacks the healthcare sector when other ransomware-as-a-service operations do not. Mandiant thinks that because healthcare providers need to quickly gain back access to patient information, it is more likely that they will pay the ransom easily. In other sectors, negotiations with victims may last for weeks.

Mandiant is convinced that FIN12 is a professional ransomware deployment actor that utilizes initial access brokers (IABs). IABs usually get a percentage of any ransom payments generated, though certain ransomware operations give a flat rate. Mandiant has found proof that FIN12 usually gives 30-35% of the ransom to the IAB.

TrickBot is one of the IABs widely utilized by FIN12. It is a botnet operation that offers persistent access to the networks of victims. The group has additionally joined with the BazarLoader operation and lately has bought credentials to be able to login to Citrix systems. FIN12 normally deploys the variant Ryuk ransomware, which can spread all through a network and corrupting and encrypting information on several systems.

As opposed to a lot of ransomware actors that spend weeks within the network of a victim prior to deploying ransomware, FIN12 makes quick attacks, less than 4 days of average time-to-ransom (TTR). The group seems to be putting speed first in its attacks while the TTR is decreasing. A few of the current attacks had 2.5 days TTR. These efficiency increases are allowed by their expertise in just one stage of the attack lifecycle, which enables threat actors to build expertise faster, explains Mandiant.

Mandiant states the gang sticks out from other ransomware actors since multifaceted extortion is quite uncommon. It is currently very usual for information to be exfiltrated before ransomware deployment and for threat actors to threaten to post the stolen information when victims don’t pay. Mandiant says the choice not to participate in information theft is probably because of the impact it may have on the TTR. When FIN12 exfiltrated information, the attack’s TTR was approximately 12.5 days.

Although victims might be more probable to pay the ransom because of the threat of data exposure, there’s additionally a greater risk of detection before file encryption. The obvious success of FIN12 without using extra extortion methods indicates the idea that they don’t think spending more time to steal information is worth the risk of getting their plans thwarted.