Category: Cybersecurity Attacks

GenRx Pharmacy based in Scottsdale, AZ is sending notifications to a number of patients concerning the potential exposure of some of their protected health information (PHI) because of a ransomware attack. The pharmacy discovered the ransomware attack on September 28, 2020. On the same day, its IT staff acted immediately and blocked the system access of the attacker. The investigation reported the use of ransomware on 27 September but before deploying the ransomware, the attacker exfiltrated some files that contain PHI.

An analysis of the breached files confirmed that they comprised PHI including names, addresses, birth dates, sexuality, patient IDs, allergy data, prescription transaction IDs, drugs lists, health plan details, and prescription data. The pharmacies don’t collect Social Security numbers and do not keep financial details, thus there is no breach of those data. GenRx Pharmacy had backups that were employed to bring back the encrypted information and didn’t pay the ransom.

Though the number of people impacted is presently not clear, GenRx Pharmacy said less than 5% of past patients were affected. Since the attack happened, GenRx has improved its firewall, anti-virus application, integrated a web filter, upgraded network tracking, incorporated multi-factor authentication, and set up a real-time attack detection system. It provided employees extra training and revised internal policies and guidelines as needed. More controls and measures are additionally being looked at to improve security.

Blackbaud Ransomware Attack Impacted Nebraska Methodist Health System and Texas Tech University Health Sciences Center

Two additional victims of the Blackbaud ransomware attack have reported being impacted by the data breach.

Nebraska Methodist Health System has verified that selected personal information and PHI of 39,912 persons were exposed in the attack. Texas Tech University Health Sciences Center has claimed that the incident affected 37,000 people.

The two entities utilize the customer relationship management and financial services solutions of Blackbaud for fundraising reasons. From February 7, 2020 to May 20, 2020, attackers got access to Blackbaud’s systems and could have obtained backup copies of client listings prior to ransomware deployment. Blackbaud paid the ransom demand and the hackers gave assurance of deleting the stolen data.

Nebraska Methodist Health System stated the compromise of these data: Names, demographic and contact data, medical record numbers, purposes for appointments, treating doctors, treating provider, and types of encounter (i.e. emergency outpatient, outpatient surgery, or observation).

The Texas Tech University Health Sciences Center database included names, email, mailing addresses, phone numbers, dates of birth, TTUHSC medical record numbers, names of doctor and specialization.

AspenPointe Colorado Springs encountered a cyberattack last September 2020 that led to potential patient data exposure. This provider of mental health and behavioral health services decided to shut down its systems while mitigating the attack. But its operations were disrupted for a few days.

Third-party cybersecurity specialists investigated the breach to know the extent of patient data compromise and helped with system restoration. On November 10, 2020, the investigators confirmed the potential access or acquisition of patient records by the attackers.

The documents in the breached systems included patient data such as names and one or more of the following information: birth date, Social Security number, bank account information, driver’s license number, Medicaid ID number, diagnosis code, date of last consultation and dates of admission/discharge.

Upon discovery of the breach, AspenPointe did a total password reset. It also used additional endpoint protection technology to reinforce cybersecurity, tweaked its firewall, and upgraded other processes and network tracking.

The healthcare provider is currently mailing breach notification letters to all patients possibly affected by the attack and is offering them complimentary IDX credit monitoring membership for 12 months. Breach victims are additionally protected by as much as $1 million identity theft insurance plan and, in case warranted, they get identity theft recovery services as well.

In the substitute breach notice issued by AspenPointe, there is no mention of reported fraud, identity theft, or misuse of patient information. There’s also no proof found with regards to actual patient data theft by the attackers.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicated the potential impact of the attack on the protected health information (PHI) of 295,617 patients.

A month after being hit with a ransomware attack, the University of Vermont Health Network reported that its electronic health record (EHR) system is now restored. The ransomware attack happened on October 25, 2020 and brought about a huge outage in six of its hospitals. For the last month, employees had no choice but to log patient information, orders, and prescription drugs using pen and paper because its computer systems were offline.

UVM continued to provide patient care during the attack and recovery process, however, the restoration of its EHR will significantly increase performance. The attack brought about major disruption, particularly at the University of Vermont Medical Center located in Burlington, nevertheless, the attack affected all its network. Because essential patient data is inaccessible, the schedule of various elective procedures was changed and the radiology department based on the main campus encountered delays and was simply partly open.

In a November 24, 2020 report, UVM Health said it had a significant milestone in the process of recovery, when its Epic EHR system is finally accessible online for its inpatient and outpatient domains, such as UVM Medical Center and the Central Vermont Medical Center ambulatory clinics, Champlain Valley Physicians Hospital, and Porter Medical Center.

Although electronic patient data can now be accessed and employees can note patient data electronically, the recovery process is not yet over and much work still must be carried out. The UVM Health teams keep on working 24 hours a day to fully restore everything quickly and safely.

The phone system has been fixed, however, patients still cannot use the MyChart patient website so patients cannot access their health data on the internet yet. There are hundreds of other patient care programs utilized by the health network that remains inaccessible. UVM Health is working really hard to restore those systems and they will be systematically re-established soon, with the major focus on patient-facing systems.

A few other healthcare systems suffered ransomware attacks around the same time as the UVM Health cyberattack. St Lawrence Health System in New York had restored its electronic health record systems two weeks after the ransomware attack, but Sky Lakes Medical Center had to replace the bulk of its networks and workstations because of the attack.

Ashtabula County Medical Center (ACMC) based in Ohio was notably badly impacted by a ransomware attack on September 24, 2020. Aside from the medical center, the attack also affected 5 health centers. Two months after the attack, the EHR is still not yet restored. A full restoration may be achieved at the end of the year.

Katonah, NY-based Four Winds Hospital found out that ransomware encrypted files on or around September 1, 2020. The ransomware attack blocked the hospital’s access to its computer systems and triggered a downtime for about two weeks while mitigating the attack.

When Four Winds Hospital learned about the attack, it immediately took steps to stop further unauthorized access to its system. Third-party cybersecurity professionals helped to identify the extent of the ransomware attack and know if patient information was compromised.

As mentioned in the substitute breach notice of Four Winds Hospital, cybersecurity professionals found information that the cybercriminals wiped out any files they had taken. However, this information cannot be independently verified. That indicates that there the cybercriminals received ransom payment, although Four Winds Hospital did not confirm this information.

The attack didn’t affect the electronic health record system, email system, cloud environment, or encrypted data fields. According to the investigation, the cybercriminals accessed password protected files and possibly viewed the listings of patients dated 1983 up to the present. Those listings contained names as well as medical record numbers, 100 records of which included Social Security numbers. The cybercriminals may have also accessed various files that contain patient information from 2013 up to the present. The files contained names, Social Security numbers, and treatment details of Medicare patients admitted to the hospital before 2019.

The HHS’ Office for Civil Rights breach portal breach has not published yet the incident and so the number of patients affected by the breach is still uncertain.

Advanced Urgent Care of Florida Keys

Advanced Urgent Care of Florida Keys commenced giving breach notifications to patients on November 6, 2020 regarding a ransomware attack that happened on March 1, 2020. Although there is no mention in the breach notice, on March 14, 2020, Databreaches.net reported the theft of patient data during the ransomware attack. The attackers dumped the stolen information on the web when there was no ransom payment made.

As per the Advanced Urgent Care breach notice, after the attack, an investigation to determine if patient data was compromised went on until September 11, 2020. The ransomware attack resulted in the encryption of files stored on a backup drive that contained protected health information (PHI) such as names, birth dates, medical treatment data, lab test results, medical diagnostic details, health insurance details, medical record numbers, Medicare or Medicaid beneficiary numbers, medical billing data, bank account details, debit or credit card data, driver’s license numbers, CHAMPUS ID numbers, Military and/or Veterans Administration numbers, Social Security numbers and signatures.

Advanced Urgent Care offered complimentary credit monitoring services to patients who had their Social Security numbers compromised and have taken steps to improve security to avoid further attacks and to recognize and remediate upcoming threats.

The world’s biggest eyewear company Luxottica encountered a cyberattack that impacted a number of the company’s websites.

Luxottica owns eyewear brands that include Ray-Ban, Persol, and Oakley. It manufactures designer eyewear for a lot of widely recognized fashion brands. At the same time, it manages the EyeMed vision benefits firm in partnership with Pearle Vision, LensCrafters, EyeMed, Target Optical, and some other eye care companies.

Luxottica partners get access to an online appointment scheduling software program that makes it possible for patients to schedule consultation visits with eye care providers on the internet and via telephone. Based on the latest breach notification, unknown individuals hacked the appointment scheduling software program on August 5, 2020. The hackers potentially acquired access to the personal data and protected health information (PHI) of Luxottica’s eye care partners’ patients.

Luxottica learned about the occurrence of the cyberattack on August 9, 2020. Without delay, it took action to control the breach. The succeeding investigation affirmed that the hackers potentially accessed and got personal data and PHI of patients. The types of information compromised included the following: names, contact details, appointment dates and times, medical insurance policy numbers, notes on appointments, doctors’ notes, and data associated with eye care treatment, such as medical conditions, operations, and prescription medications. The credit card number and/or Social Security number of some patients may have been exposed, too.

Luxottica has not received reports of any cases regarding personal data or PHI misuse. However, as a safety precaution, the company offered free two-year identity theft protection services via Kroll to persons whose financial data or Social Security numbers were potentially exposed. Luxottica began sending breach notifications to 829,454 people on October 27, 2020.

Luxottica has encountered other security breaches this year. A Nefilim ransomware attack occurred on September 18, 2020 which resulted in substantial outages and disruption of the eyewear company’s services in China and Italy. The attackers also stole sensitive information before deploying the ransomware.

A ransomware attack on Medicaid billing company Timberline Billing Service, LLC based in Des Moines, IA resulted in file encryption with prior data theft.

The investigators of the attack confirmed that an unidentified person acquired access to its systems from February 12, 2020 to March 4, 2020 and installed ransomware. Before encrypting files, the attacker exfiltrated selected information from its systems.

Timberline has clients consisting of about 190 schools in Iowa. It has already notified the affected school districts in the state about the breach. Currently, the exact number of schools affected by the breach is still unclear. There is also no confirmation if the breach only affected schools in Iowa as Timberline likewise has offices in Illinois and Kansas.

The attacker potentially obtained the following types of data: names, birth dates, billing details and Medicaid ID numbers. The Social Security numbers of a limited number of clients were likewise potentially compromised. Although data theft was confirmed by the investigators, there is no report received yet that indicates data misuse.

Timberline has reported the breach to the Department of Health and Human Services’ Office for Civil Rights and indicated that 116,131 people
were affected.

PHI Breach at University of California San Francisco

A cyberattack on the University of California San Francisco (UCSF) led to the potential compromise of personal and health data kept by the UCSF School of Medicine. UCSF discovered the cyberattack on June 1, 2020, which affected a minimal part of the IT systems of the School of Medicine. There was no other information provided regarding the precise nature of the attack.

A top cybersecurity expert assisted with the investigation and confirmed the compromise of the records associated with present and past UCSF students, employees, collaborators, and research contributors. Those data included names, government ID numbers, medical data, medical insurance details, Social Security numbers, and some financial data. UCSF states that it does not know of any cases of personal data misuse.

UCSF has called in third-party cybersecurity experts to strengthen its IT security defenses to avert other breaches later on.

Two hospitals, St. Lawrence Health System in New York and Sky Lakes Medical Center in Klamath Falls, OR, have encountered ransomware attacks which led to the shutdown of their computer systems and have compelled physicians to use pen and paper to document patient data. The two ransomware attacks happened on Tuesday, October 27, 2020 and involved the Ryuk ransomware.

Sky Lakes Medical Center made an announcement on its Facebook page that although its computer systems are offline, it will continue to provide patient care. Its emergency and urgent care departments stayed open and in full operation. The majority of booked elective procedures continued as scheduled. At this point, there is no evidence found that suggests the compromise of any patient information; but the investigation is just in its beginning stages.

The ransomware attack on St. Lawrence Health System was discovered a few hours after the preliminary compromise. A statement issued by St. Lawrence Health System indicated that its IT department took its systems offline to try to control the attack and avoid the spread of the ransomware to the entire network.

According to the report, the ransomware attack affected three of St. Lawrence Health System’s hospitals – Gouverneur Hospital, Canton-Potsdam Hospital, and Massena Hospital. As a precautionary step, the ambulances were redirected from the affected hospitals to make sure that patients are provided with proper care.

Like the ransomware attack on Sky Lakes Medical Center, there is no evidence found yet that suggest the compromise of patient data, even if the Ryuk ransomware gang is previously identified to exfiltrate patient information before encrypting files.

CISA and the FBI issued a joint advisory this week, together with the HHS’ Department of Health and Human Services, to warn hospitals and public health sector institutions about the rising targeted Ryuk ransomware attacks. There is convincing evidence that suggests the number of attacks on hospitals and other healthcare organizations would most likely go up.

Healthcare providers are being instructed to take action to protect their systems from ransomware attacks. Indicators of compromise were publicized as well as mitigation measures to give assistance in preventing attacks and identifying attacks in progress.

Vastaamo, a leading psychotherapy provider from Finland, has experienced a cyberattack that resulted in the theft of highly sensitive patient information. The cybercriminals threatened to expose the stolen information if no ransom payment is made and selected patient records have already been published online.

Vastaamo serves around 40,000 patients throughout over two dozen clinics in Finland. Last week, Vastaamo started informing patients regarding the data breach after an individual contacted three of its employees and demanded 40 Bitcoin ($500,000) payment to avoid the exposure of stolen patient information.

It is not only Vastaamo that has gotten ransom demands. When Vastaamo did not pay the ransom, the attacker who calls himself/themselves as “the ransom guy”, also gave patients ransom demands wanting them to make a payment of €200 ($236) in Bitcoin to avert the posting of their data. Preliminary reports advised that the information of around 300 patients were posted on a darknet site, though later reports suggest a 10GB file that contains the records of approximately 2,000 patients was posted on the dark web.

BBC contacted one patient who claimed the cyberattacker gave him 24 hours to pay the preliminary ransom demand or his teenage psychotherapy notes will be published. The attacker also said the payment will go up to €500 ($515) if the ransom is not paid within 24 hours.

Vastaamo reported on its website that systems access appeared to have been obtained at some point in November 2018; nonetheless, another breach took place in March 2019. The information stolen in the incident seems connected with patients who obtained treatment prior to November 2018, although it is possible that records were stolen in the second data breach in March 2019.

Vastaamo stated the breach affected the following data: customer names, ID numbers, dates of consultations, and information manually entered by the psychotherapy expert, which may have included care plans, notes from sessions, and statements submitted by the patients to authorities.

It is unclear at this time how many patients of Vastaamo were impacted by the breach, although the director of Finland’s National Bureau of Investigation, Robin Lardot, is convinced tens of thousands of patient data were stolen. It is additionally uncertain why the threats were just issued. Possibly, a third party might have sold the stolen data and has set out on an extortion campaign.

Psychotherapy sessions records are one of the most sensitive data held by healthcare providers. Patients talk about problems in their consultations in a confidential environment where they feel safe and protected. Information disclosed in sessions may not have been shared with anyone else. Finland’s interior minister referred to the incident as “a shocking act which hits all of us deep down.” He additionally stated that Finland must be a country where help is provided for mental health issues and it is accessible without fear.

For a company offering psychotherapy services, the confidentiality of customer data is incredibly vital, and the starting point for all operations. Vastaamo deeply regrets the leak due to the data breach. Vastaamo also gave a statement saying it has dismissed its CEO, Ville Tapio, for not informing its board of directors and parent company about the March 2019 breach.

The U.S. Department of Justice made an announcement regarding the indictment of 6 Russian hackers for participating in the 2017 NotPetya malware attacks and a lengthy listing of offensive cyber activities on several targets in the USA and other nations.

The six persons are alleged to be GRU associates. GRU is Russia’s Main Intelligence Directorate, particularly GRU Unit 74455, which is identified as Sandworm. The Sandworm unit is regarded as responsible for a lot of offensive cyber campaigns that took place within a number of years.

Sandworm is believed as being a key component in efforts to influence foreign elections, such as the 2017 French Presidential election and the 2016 U.S. presidential election. One of the most damaging offensive activities was the use of NotPetya malware in 2017. The wiper NotPetya malware was utilized in detrimental attacks around the world that exploited the Microsoft Windows Server Message Block (SMBv1) vulnerability.

NotPetya affected a number of medical centers and hospitals. Data were destroyed and computer systems were shut down. NotPetya attacked the pharmaceutical company Merck, FedEx sister company TNT Express and Danish shipping company Maersk. The cost of the NotPetya attack on Merck was estimated to be $1.3 billion. The total cost of damages due to the malware is over $10 billion and more than 300 firms around the world were impacted.

Sandworm was furthermore behind attempts to disturb the 2018 Winter Olympics by using the Olympic Destroyer malware. The attackers tried to interrupt the investigation of the Novichok poisonings of past Russian spy Sergei Skripal and his daughter, which was being pursued by the Organization for the Prohibition of Chemical Weapons and the U.K.’s Defense Science and Technology Laboratory.

Sandworm was likewise responsible for the detrimental assaults on the energy grid of Ukraine between December 2015 and December 2016 and other federal targets employing BlackEnergy, KillDisk, and Industroyer malware, together with attacks on government entities and corporations in Georgia in 2018.

The indicted Russian operatives are Sergey Vladimirovich Detistov, Yuriy Sergeyevich Andrienko, Pavel Valeryevich Frolov, Artem Valeryevich Ochichenko, Anatoliy Sergeyevich Kovalev, and Petr Nikolayevich Pliskin. Each one has been accused of 7 counts detailed as:

• one count of conspiracy to commit computer fraud and abuse
• one count of conspiracy to commit wire fraud
• one count of intentional damage to a protected computer
• two counts of wire fraud
• two counts of aggravated identity theft, including false registration of domain names

The utmost likely sentence when found guilty on the 7 counts is 71 years imprisonment. The indictment furthermore consists of particulars of the distinct roles every defendant performed in the attacks, verified the specific nature of the intelligence gathered on every individual by intelligence agencies, foreign governments, law enforcement, and private firms.

Russian has reacted by denying any engagement in the cyberattacks ascribed to the hackers. A spokesperson for the Russian embassy in Washington mentioned that Russia does not and did not have motives to indulge in any sort of destabilizing action all over the world.

It is improbable that the charged attackers will ever face a trial since there isn’t any extradition treaty between Russia and America.

Piedmont Cancer Institute (PCI) located in Atlanta, GA is sending notifications to 5,226 patients about the potential compromise of some of their protected health information (PHI) because of an unauthorized person acquiring access to one employee’s email account.

An independent cybersecurity company assisted PCI in confirming the access of the email account for over a month. The unauthorized individual first got access to the email account on April 5, 2020. PCI secured the account on May 8, 2020.

The compromised account audit concluded on August 8, 2020 and showed that it included a number of protected health information. Besides names, the patients affected by the breach had one or more of these data elements exposed: birth date, credit/debit card number, financial account data, and/or medical details like diagnosis and treatment details.

To avert the occurrence of other breaches, PCI has put in place multi-factor authentication on its email accounts and provided additional training to its employees regarding email security.

McLaren Oakland Hospital Identified Potential Data Breach

McLaren Oakland Hospital based in Pontiac, MI has uncovered that 2,219 patients’ PHI was compromised and unauthorized individuals may have accessed it.

On July 10, 2020, McLaren Oakland learned that a file in a desktop computer contained an unauthorized and unsecured URL to a file that contains the protected health information of present and previous patients.

There is no information found that shows the unauthorized access of any of the sensitive information contained in the file. There is also no report received suggesting that patient information was misused. As a precaution, McLaren Oakland Hospital advised the impacted persons to keep track of their statement of accounts and credit reports for any indication of misuse of their PHI. The company furthermore offered the affected patients complimentary membership to identity theft protection and monitoring services.

When the PHI exposure was discovered, the hyperlink was disabled. The investigators uncovered that an employee rendered the hyperlink insecure accidentally. McLaren Oakland has examined its policies and procedures and gave staff further training regarding patient privacy and data security.

Patient Records Stolen from Health and Wellness Clinic in Edmonds, WA

The Health and Wellness Clinic is a natural medicine and physical care solutions provider based in Edmonds, WA. Thieves broke into its facility and stole patient records.

Over the weekend of August 29 to 30, a burglar forced open a locked storage space found off the clinic’s massage suite. The room looked like it was rummaged, documents were removed from a number of files, and a box of paper files was missing. The stolen documents contained data like names, Social Security numbers, birth dates, health backgrounds, and treatment data.

The Health and Wellness Clinic reported the theft to the police authorities. The police performed an investigation and have identified a suspect and got back the stolen box of paper records. It is at the moment not clear how many paper records were taken from the wellness clinic.

The Department of Health and Human Services’ Office for Civil Rights issued an announcement regarding its 10th HIPAA violation penalty in 2020. This is the seventh financial penalty to settle HIPAA violations that has been published in several days.

The most recent financial penalty is the biggest to be enforced in 2020. It costs $2.3 million and settles a case concerning 5 potential HIPAA Rules violations, which includes exposure of the electronic protected health information (ePHI) of 6,121,158 people.

CHSPSC LLC based in Tennessee is a management firm that offers services to numerous subsidiary hospital operator firms and other affiliates of Community Health Systems. Services provided include legal, accounting, compliance, operations, IT, health information, and human resources management services. Offering those services involves ePHI access, therefore CHSPSC is categorized as a business associate and needs to abide by the HIPAA Security Rule.

On April 10, 2014, CHSPSC experienced a cyberattack conducted by an advanced persistent threat group called APT18. The attackers employed compromised admin credentials and had remotely accessed CHSPSC’s data systems through its virtual private network (VPN) solution. CHSPSC did not identify the attack until the Federal Bureau of Investigation (FBI) sent notification on April 18, 2014 about the breach of its systems.

When the hackers had access to CHSPSC systems, the ePHI of 6,121,158 persons was downloaded. The records were given to CHSPSC by 237 HIPAA-covered entities that utilized CHSPSC’s services. The stolen data contained these data elements: name, birth date, gender, telephone number, email address, social security number, ethnicity, and emergency contact data.

OCR began investigating the breach and discovered systemic noncompliance with the HIPAA Security Guideline. Although it may not continually be feasible to avoid cyber attacks by advanced hackers, when an attack is noticed, action should be taken immediately to restrict the harm created. In spite of being alerted by the FBI in April 2014 concerning the compromise of its systems, the hackers stayed active in its information systems for 4 months, just being eliminated in August 2014. In that period, CHSPSC didn’t stop unauthorized access to ePHI, in violation of 45 C.F.R. §164.502(a), and the attackers kept on stealing ePHI.

The inability to take action on an identified security occurrence from April 18, 2014 to June 18, 2014 and minimize the damaging impact of the data breach, record the breach and its effects, was in violation of 45 C.F.R.§164.308(a)(6)(ii).

OCR investigators discovered that CHSPSC was unable to perform an appropriate and comprehensive security risk examination to determine the risks to the availability, integrity, and confidentiality of ePHI, which violates 45 C.F.R. § 164.308(a)(1)(ii)(A).

Technical guidelines and procedures enabling access to information databases that contains ePHI retained by CHSPSC just by certified persons and software programs were not put in place, which violates 45 C.F.R. § 164.312(a).

Procedures were not applied to make sure that data system activity documentation like logs and system security event monitoring reports were routinely assessed, which violates 45 C.F.R. § 164.308(a)(1)(ii)(D).

Threat actors and cyberthieves quite often target the health care sector. The inability to enforce the security requirements demanded by the HIPAA guidelines, particularly after being informed by the FBI of a probable breach, cannot be excused. A massive financial penalty was thus proper.

CHSPSC did not choose to argue the case and decided to pay the financial fine and resolved the HIPAA violation. The settlement additionally necessitates CHSPSC to undertake a solid and substantial corrective action plan to deal with all aspects of non-compliance, and CHSPSC is going to be closely supervised by OCR for two years.

Patient safety is at risk because of ransomware attacks on hospitals. File encryption leads to the crash of essential systems and breakdowns in communication systems, which prevent clinicians from being able to access the patients’ health records.

Very disruptive attacks can compel hospitals to bring patients to other facilities, which lately occurred in the University Clinic based in Düsseldorf, Germany because of a ransomware attack. One patient who needed emergency medical attention to address a fatal condition was rerouted to another facility in Wuppertal, roughly 21 miles away. Because of the redirection, there was a one-hour delay in giving treatment and the patient eventually passed away. The death may have been avoided if the patient received treatment sooner.

The ransomware attack that happened on September 10, 2020 completely disabled the clinic’s systems. Investigators confirmed that the attackers got access to the network by exploiting a vulnerability present in a popular commercial add-on software. As the encryption took its course, the hospital systems started to crash making the medical records unavailable.

The medical clinic had to hold registration for emergency care, delayed doctor visits, and outpatient care. All patients were informed that visits to the medical clinic will be on hold until the attack was resolved. After a week, the hospital still has not resumed normal functions, though the hospital has begun to reactivate crucial systems.

As per the latest Associated Press statement, the attack affected 30 servers at the hospital. The attackers’ ransom demand was discovered on an encrypted server. The hospital notified the police authorities which used the information in the ransom note to contact the attackers.

It would seem that the attackers had no intention of attacking the medical clinic since the ransom note was meant for Heinrich Heine University in Düsseldorf. Law enforcement authorities told the attackers that the attack affected the hospital and put patient safety in danger.

The attackers provided the files decryption keys and did not push through with the extortion. It was not possible to contact the attackers after this. Law enforcement is still investigating the attack and there is a possibility of filing charges on the attackers for negligent homicide.

So far there are no confirmed incidents of ransomware attacks on healthcare providers that caused the death of a patient. However, when ransomware attacks disable hospital systems, patients cannot receive treatments for fatal conditions, which may lead to tragic events.

A number of ransomware groups have made public statements that they won’t perform any attack on healthcare facilities if it will affect hospital systems. Moreover, the gangs will provide the keys to decrypt files for free. Nonetheless, whether or not decryption keys are provided, it is not easy to recover from an attack. Some ransomware groups made no such statements and still attack medical facilities.

Imperium Health Management based in Louisville, KY, a development services provider to Accountable Care Organizations (ACOs), is informing 139,114 people about the potential compromise of some of their protected health information (PHI) due to a new phishing attack.

Imperium Health discovered the attack on April 23, 2020. As per the investigation, two email accounts were compromised, one on April 21, 2020 and another on April 24, 2020 as a result of the employees’ response to phishing emails. The emails included hyperlinks that seemed to be legit however brought the employees to a web page where their email credentials were collected.

An analysis of the compromised email accounts showed that they held the following PHI: patient names, dates of birth, addresses,
medical record numbers, medical insurance information, account numbers, Medicare numbers, Medicare Health Insurance Claim Numbers (Social Security numbers probably included), and some clinical and treatment data. Imperium Health only knew on June 18, 2020 that the email accounts contained PHI.

An independent computer forensic agency helped with the investigation and affirmed the compromise of only two email accounts. The attackers did not access any other part of the Imperium Health systems. Although it is probable that the attacker viewed or obtained patient information, so far, there is no proof found that suggests the attacker viewed, acquired, or misused patient data in any way.

Imperium Health has enforced more security steps to secure its systems from other cyberattacks. Two-factor authentication on remote access to email accounts and new methodologies to secure sensitive data transfer were implemented. Employees also received further training on email security and phishing email identification.

Blackbaud Ransomware Attacks Impacts Atrium Health and Saint Luke’s Foundation

Saint Luke’s Health Foundation has reported the compromise of the personal and demographic data of 360,212 people due to the Blackbaud ransomware attack recently.

The attackers acquired a backup copy of a database and used it to extort money from Blackbaud. It is believed that data acquisition happened at some time from February 7, 2020 to May 20, 2020. Blackbaud decided to pay the ransom to get the keys to unlock the encrypted files and stop any more exposure of data ripped off in the attack. Blackbaud believes the attacker did not expose any data to any entity or the public and thinks all stolen data were deleted permanently.

The compromised data included names, mailing and email addresses, phone numbers, and/or birth date. Some patients may have had the names of their guarantors compromised, together with a number of patient medical data like dates of service and patient care departments.

Atrium Health is a leading healthcare system in the country with more than 900 care locations. It also reported that the Blackbaud ransomware attack affected the data of its patients. Compromised patient data included first and last names, contact details, demographic data (such as birth date, guarantor details, applicable decedent status, and patient ID numbers), dates of treatment, locations of service, and name of treating doctors. For minors impacted by the breach, the guarantor’s name and their relationship were also exposed. The date and amount of donation of patients who gave to Atrium Health were also stolen.

Northwestern Memorial HealthCare has learned about the potential compromise of the personal data of people who previously donated to Northwestern Memorial HealthCare because of a Blackbaud ransomware attack recently. An unauthorized person first accessed the Blackbaud systems on February 7, 2020 and possibly continued accessing it until the ransomware was deployed on May 20,2020.

Prior to the use of ransomware, the attacker possibly obtained access to a backup of a database which stored names, dates of birth, age, gender, medical record number, departments of service, dates of service, treating doctors, and/or limited clinical data. The Social Security numbers and/or financial/payment card details of 5 persons were additionally found in the database. In total, the details of 55,983 Northwestern Memorial HealthCare donors was probably compromised in the attack.

Northwestern Memorial HealthCare is reviewing its third-party database storage vendors and its connection with Blackbaud so as to avoid identical data breaches later on.

Names and Medical Insurance Data of 15,000 Lafayette Fire Department Ambulance Users Exposed

On July 27, 2020, a ransomware attack on the City of Lafayette, CO disrupted its telephone, email, online billing, and reservation systems and essential data became inaccessible. After evaluating the cost and benefits of all possible solutions, the city decided to pay $45,000 to the attackers to avoid the big disruption and issues affecting its online operations.
Before deploying the ransomware, the attackers could have accessed personal data saved on Lafayette’s computer system. The attackers potentially accessed some personal data, such as city employees’ Social Security numbers and the usernames and security passwords of those who used its online services. In addition, the attackers may have gotten the names and medical insurance identification numbers of 15,000 people that the Lafayette Fire Department ambulance transported before January 1, 2018.

The city has taken out the ransomware and restored its network servers and computers, deployed crypto-safe backup systems, and implemented extra cybersecurity measures to stop more ransomware attacks.

One of the biggest medical debt collection companies in the US encountered a ransomware attack. R1 RCM in Chicago, earlier known as Accretive Health Inc., made $1.18 billion in earnings in 2019 and works with over 750 healthcare customers. The number of clients impacted by the attack is uncertain at this time.

Brian Krebs of Krebs on Security reported the breach recently. R1 RCM affirmed the ransomware attack, which caused the shutdown of its systems. Attempts of restoration are still in progress.

There is no information issued concerning the type of ransomware utilized in the attack and it is uncertain if the attackers stole patient information before file encryption. Krebs mentioned that Defray was used in the ransomware attack. Defray ransomware typically spreads through emailing malicious Word files in small, targeted campaigns. The threat actors using this ransomware had attacked education and healthcare verticals in the past.

In 2019, American Medical Collection Agency (AMCA), also a medical debt collection agency, encountered a ransomware attack. Before data encryption, the attackers stole about 27 million records. The AMCA incident was the 2019’s biggest data breach. The attack demanded a big cost forcing AMCA into bankruptcy. Having a lot more customers than AMCA, this R1 RCM ransomware attack could likely be much bigger, though it is not yet known if the culprits behind this Defray ransomware stole data before encrypting files.

6,000 Patients Affected by Beaumont Health Phishing Attack

Beaumont Health, the biggest healthcare system in Michigan, began informing 6,000 patients concerning the potential access of some of their protected health information (PHI) by unauthorized people due to a phishing attack.

Unauthorized people acquired access to several employee email accounts from January 3, 2020 to January 29, 2020. Beaumont Health found out on June 5, 2020 that one or more of the compromised email accounts comprised patient information. The following data might have been included: names, birth dates, diagnosis codes, diagnoses, procedures performed, treatment holiday area, treatment type, medication details, Beaumont medical record numbers and patient account numbers. Beaumont Health notified the impacted patients regarding the incident on July 28, 2020.

This is Beaumont Health’s second data breach report that is related to a phishing attack in 2020. In April, the health system informed 112,000 people regarding a phishing attack that happened in 2019. After the attacks, Beaumont Health took important steps to enhance email security, such as enhancing its multi-factor authentication software program, completing a risk analysis, and giving more training and education to Beaumont staff about identifying and managing malicious emails. The internal policies and procedures likewise had alterations to determine and remediate potential threats to reduce the possibility of the same event happening later on.

Boyce Technologies Inc based in Long Island City, NY, a transport communication systems provider recently turned its manufacturing facilitiesto create ventilators that hospitals can use during the pandemic. A DoppelPaymer ransomware attacked Boyce Technologies and prior to file encyption, data was stolen. The threat actor published on its blog some of the stolen information, which includes assignment forms, purchase orders, and other sensitive information.

The FDA approved Boyce Technologies Inc. to produce ventilators and was manufacturing approximately 300 machines per day. Hospitals in New York use the ventilators and the company is currently producing ventilators for other locations. The ransomware attack is a threat to the creation of those ventilators and may put lives at risk.

Piedmont Orthpedics/OrthoAtlanta, which is an orthopedic and sports medicine network located in the greater Atlanta area, encountered a Pysa (Mespinosa) ransomware attack. Like with the Boyce Technologies attack, before the file encryption, the threat actors stole sensitive information. Databreaches.net reported that the threat actors published approximately 3.5 GB of information online, which includes files containing the protected health information (PHI) of patients.

The Center for Fertility and Gynecology in Los Angeles, CA and the Olympia House Rehab in Petaluma, CA, on the other hand, encountered a Netwalker ransomware. The threat actors stole data, including patients’ PHI, and published it on the internet.

Muskingum Valley Health Centers in Zanesville, OH informed recently 7,447 of its patients that threat actors potentially obtained some of their PHI as a result of a ransomware attack on the EHR of OB GYN Specialists of Southeastern Ohio Inc, which contained the information of patients who obtained treatment from 2012 to 2017. The attack happened on May 31, 2020 but Muskingum Valley identified the incident on June 2.

The investigators did not find any evidence indicating the theft of patient information before the ransomware attack, although there is still the possibility of data theft. The attackers most likely accessed names, birth dates, addresses, diagnoses, health conditions, laboratory test data, treatment data, insurance claim details, Social Security numbers, and financial data.

Muskingum Valley offered the affected persons free credit monitoring and identity theft recovery services for 2 years. Security guidelines, procedures and passwords were also updated to avoid more attacks.

There were 41 healthcare providers that submitted ransomware attack reports in the first six months of 2020 as per Emsisoft. The double-extortion attacks which entail threats to expose or sell information when the victim doesn’t pay the ransom are increasing, considering that a lot of threat groups are now taking on this strategy. Emsisoft states that about 1 in 10 ransomware attacks today come with data theft.

The APT29 hacking group, also known as Cozy Bear, is looking to attack healthcare organizations, pharma companies, and research agencies in the United States, United Kingdom, and Canada and is trying to swipe research information about COVID-19 and the creation of a vaccine.

On July 16, 2020, Canada’s Communications Security Establishment (CSE), the National Security Agency (NSA), the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) and the UK National Cyber Security Centre (NCSC) issued a joint advisory to heighten awareness of the threat.

APT29 is a cyber espionage group that’s almost definitely a partner of the Russian intelligence services. The group mainly finds government entities, diplomats, think-tanks, and energy targets in order to steal sensitive information. The group has become very active throughout the COVID-19 pandemic and has done several attacks on entities working on COVID-19 research and vaccine creation.

The group conducts widespread scanning to determine unpatched vulnerabilities and makes use of exploits available to the public to acquire access in vulnerable systems. The group has been able to use exploits for these vulnerabilities: Citrix vulnerability CVE-2019-19781, FortiGate vulnerability CVE-2019-13379, the Pulse Secure vulnerability CVE-2019-11510 and the Zimbra vulnerability CVE-2019-9670. The group may also use other exploits.

APT29 utilizes a number of tools to acquire access credentials and attain persistent access to systems and employs anonymizing services whenever utilizing stolen credentials. APT29 is utilizing custom malware variants to strike organizations, such as WellMess and WellMail, two variants of malware that APT29 has not used previously.

WelMess is a lightweight malware written in Golang or .NET that is able to carry out arbitrary shell commands and even upload and download documents and uses HTTP, TLS and DNS for sending messages. WellMail is a lightweight application that utilizes hard-coded client and certificate authority TLS certificates to send messages with C2 servers. The third variant of malware, called SoreFang, is being used too. SoreFang is a first phase downloader that exfiltrates information using HTTP and downloads one more state malware. The attackers use the malware to target SangFor devices.

Attacks on institutions engaged in COVID-19 research are most likely to keep going and any organization involved in COVID-19 research ought to consider itself as a target. Entities were advised to take action to protect their systems and keep track of attacks.

Organizations must make sure to patch and update all software and prioritize the patches for CVE-2019-13379, CVE-2019-9670, CVE-2019-19781 and CVE-2019-11510. Antivirus software must be utilized and kept up to date, and regular scans must be done to determine downloaded malware variants.

Multi-factor authentication should be enforced to avoid using stolen credentials to obtain access to systems. All staff ought to be educated about the threat from phishing and all workers should be assured in their ability to determine a phishing attack. All staff should be told to report any suspected phishing attacks to their security teams and reports ought to be investigated quickly and carefully.

Organizations have been cautioned to create a security monitoring system to ensure that all required data is gathered to support investigations into network intrusions. Networks ought to be segmented, and there ought to be action to prevent and detect lateral movement within networks.

Benefit Recovery Specialists, Inc. based in Houston, TX, billing and collection company, announced the discovery of malware on its systems and the potential access of unauthorized persons to protected health information (PHI).

BRSI is a business associate with health plan and healthcare providers, which provided the personal information and PHI of their present and past members and patients stored on the BRSI systems.

BRSI discovered the malware on April 30, 2020 and launched an internal investigation without delay. Third-party computer forensics experts investigated the breach to establish the magnitude and scope of the malware attack. According to the investigation result, an unauthorized person accessed the BRSI systems by using compromised employee account information. After establishing a foothold in the system, the attacker was able to download the malware.

The forensic specialists came to the conclusion that the attacker’s initial access to the BRSI systems was on April 20, 202o, which continued up to April 30, 2020. Throughout that time, the attacker had access to PHI, which could have been copied. BRSI posted a substitute breach notice on its website but there was no mention of the kind of malware used.

The compromised types of sensitive information stored on its systems included names, birth dates, dates of service, names of providers, policy ID numbers, diagnosis codes, and/or procedure codes. The Social Security numbers of certain people were likewise most likely breached.

The conducted investigation of the breach finished on May 29, 2020. BRSI began sending notification letters to patients on June 2, 2020. There is no evidence found regarding the misuse of any PHI, nevertheless, BRSI advised the affected persons to stay alert to the possibility of identity theft and scams and to keep checking their account transactions and explanation of benefits statements for any indication of misuse of their data. According to the substitute breach notice, it seems that BRSI did not offer the breach victims any credit monitoring services.

BRSI already reported the incident to the Department of Health and Human Services’ Office for Civil Rights. It was indicated in the breach summary that there were 274,837 people, affected. Thus, this breach incident is one of the biggest healthcare data breaches that is documented in 2020.

University of California San Francisco made a ransom payment worth $1.14 million to the NetWalker ransomware gang to resolve an attack on its School of Medicine servers that resulted in the encryption of data. The attack happened on June 1, 2020. UCSF singled out the impacted servers, however, it did not avert file encryption.

UCSF School of Medicine is involved in research to discover a COVID-19 cure and the university is seriously engaged in antibody tests. The ransomware attack did not hinder COVID-19 related work nor patient care delivery procedures. UCSF is convinced that the attackers did not get access to patient information, though certain files were compromised during the attack.

The encrypted information was important to the university’s research. Since file recovery using backups was not possible, UCSF had to make a deal with the attackers to pay roughly $1.14 million ransom in exchange for the decryption of data and to get back of the data they stole.

The BBC got a nameless tip-off regarding the negotiators and the NetWalker ransomware operators’ live chat on the dark web. Based on the report, the attackers posted a sample of the stolen data online. However, after UCSF contacted the attackers via email, the data was removed online to give way to the negotiation. At first, UCSF offered a ransom payment of $780,000, however, the NetWalker group demanded $3 million. Later, the two agreed on the payment of 116.4 Bitcoin or $1,140,895.

UCSF explained on its website that the ransomware attack investigation seems to indicate that the target of the attack was not UCSF nor the School of Medicine. The investigators think that the malware encryption of the servers happened opportunistically. No specific area was targeted. UCSF reported the attack to the FBI and is helping with the investigation.

The Netwalker ransomware attacked three Universities in the U.S.A., including UCSF, in the period of one week in June. The other universities attacked were Columbia College, Chicago and Michigan State University. The stolen Columbia College data posted on the Netwalker website is now gone, which means the college paid the ransom as well.

Rangely District Hospital in Colorado started notifying patients regarding the ransomware attack in April 2020 that impacted some of their protected health information (PHI) stored on parts of its network.

The hospital discovered the ransomware attack on April 9, 2020 and took steps to contain the attack. But it wasn’t possible to stop the encryption of some files, a number of which held patient information.

Rangely District Hospital said the first attack on its systems happened on April 2, 2020, however, ransomware was not deployed until April 9, 2020. The hospital reported that the encryption process was automated, and there was no evidence found that suggest data access or exfiltration. The investigation shows that an international threat actor carried out the attack, however, it was impossible to know who was behind the attack.

Though it is believed that the attackers did not access patient data, it wasn’t possible to ascertain there was no unauthorized access. The ransomware encrypted files that could have been viewed. The following types of personal and PHI were included: names, addresses, telephone numbers, dates of birth, social security numbers, driver’s license copies, dates of hospital admissions or service, diagnoses and conditions, treatment or procedure notes and orders, medications, imaging studies, and health insurance and claims and billing details.

Although it was possible to restore many files from backups without paying the ransom, a number of patient data remain inaccessible. Besides the files that contain patient information, files necessary to a legacy software system were also encrypted and couldn’t be recovered. Rangely District Hospital employed a ‘Meditech’ database for keeping patient documents between August 2012 and August 2017 and the legacy software is necessary to view patient data in the database. The attack did not affect the database itself, but without the software, patient documents created during that 5-year period can’t be accessed. The information of certain patients who got home health services between June 2019 and April 2020 was still inaccessible. Rangely District Hospital is presently considering other options to access the database.

Patient Data Potentially Exposed Due to a Ransomware Attack at Electronic Waveform Lab

Electronic Waveform Lab, a manufacturer of medical, ophthalmic, surgical, and veterinary instruments based in Huntington Beach, CA, reported a ransomware attack and the encryption of information stored on some of its servers.

The impacted servers had a minimal amount of private and health data of patients including their names, addresses, medical diagnosis codes, and selected treatment data. The forensic specialists looking into the ransomware attack could not ascertain if the attackers accessed or acquired patient data before data encryption, however, the possibility cannot be eliminated.

Electronic Waveform Lab had enforced security measures prior to the attack to secure patient data, however, it seems insufficient to stop the attack. Security policies have already been assessed and are being upgraded to avoid the same breaches later on.

Electronic Waveform Lab succeeded in restoring its servers and records. There was no loss of patient data that resulted from the attack.