Data Breaches Reported by NetGen Healthcare, NationsBenefits Holdings and Murfreesboro Medical Clinic & SurgiCenter

NetGen Healthcare Breach Impacts Over 1 Million Individuals

NextGen Healthcare has begun informing over 1 million people throughout the United States regarding a hacking incident that compromised their protected health information (PHI). NextGen Healthcare based in Atlanta, GA provides electronic health records (EHR) and practice management services to physicians and providers of ambulatory care. It detected on March 30, 2023 suspicious activity in its NextGen Office system. Third-party cybersecurity specialists performed a forensic investigation to find out the nature and extent of the data breach. The investigation showed unauthorized persons got access to the system from March 29, 2023 to April 14, 2023.

The attackers acquired access to a minimal dataset throughout that period of time. Accessed data included names, addresses, birth dates, and Social Security numbers. There is no proof found that suggests the attackers viewed patient health records or any medical information. There is likewise no report of any attempted or actual misuse of patient information. NextGen Healthcare reset passwords upon discovery of the breach. It also implemented extra security measures to reinforce security. The provider has started sending notification letters to impacted individuals and offered them free credit monitoring and identity theft protection services for two years.

The data breach is not yet posted on the HHS’ Office for Civil Rights breach website, however, it is already reported on a number of state Attorneys General websites. It was indicated on the breach notification submitted to the Maine Attorney General that 1,049,375 persons were impacted, including 3,913 residents in Maine. The breach report submitted to the Texas Attorney General indicated that 131,815 Texas residents were affected.

This is NextGen Healthcare’s second cyberattack in recent months. The first was in January 2023. The BlackCat ransomware group added NextGen to its data leak site, but the listing was removed later. Investigation of the incident revealed that no patient data was compromised or downloaded, and therefore this wasn’t considered a reportable data breach.

3 Million Record Data Breach at NationsBenefits Holdings

NationsBenefits Holdings, LLC is a company offering supplemental benefits, flex cards, and member engagement services to managed care companies and health plans. The company reported that it was impacted by the security breach associated with Fortra’s GoAnywhere MFT file transfer solution. Clop ransomware group was responsible for the attack, gaining access to NationsBenefits information on January 30, 2023, and extracting data from the GoAnywhere MFT solution. It demanded a ransom payment from the victim to stop exposing the stolen data. The group stole data from 130 organizations including NationsBenefits.

The Clop group took advantage of a formerly unknown (zero-day) vulnerability present in the GoAnywhere MFT solution, which made it possible for them to gain access and steal information from unsecured on-premises MFT servers. NationsBenefits Holdings stated the Clop ransomware group just accessed two MFT servers; nevertheless, an analysis of the records on those servers showed they included the PHI of 3,037,303 health plan members, which include but are not limited to, ACE, Aetna, Elevance Health Flexible Benefits Plan, as well as UAW Retiree Medical Benefits Trust. The breached data included: first and last name, telephone number, address, birth date, gender, Social Security number, health plan subscriber ID number, and/or Medicare number.

The security breach also affected the following healthcare organizations: Brightline (no less than 964,300 persons) and Community Health Systems (1 million persons); nevertheless, NationsBenefits is presently the worst impacted healthcare organization. A total of over 4 million persons had their PHI stolen in these attacks. NationsBenefits stated it knew about the security breach as soon as its security monitoring group got an advisory from an MFT server on February 7, 2023, revealing unauthorized access. It contacted Fortra and asked to help with the investigation. The preliminary analysis verified the access of the MFT server and the data theft. The succeeding internal investigation showed that the threat actor didn’t move into the other systems or applications of NationsBenefits.

NationsBenefits stated that before the attack, it has layered security controls set up and it has strengthened those security measures. NationsBenefits has taken its MFT servers completely offline and has switched to another file transfer solution that doesn’t depend on Fortra software. Notification letters were sent by mail to impacted persons starting on April 13, 2023. Complimentary credit monitoring services have been offered for 24 months.

Ransomware Attack Leads to 2 Week Operations Shutdown at TN Medical Clinic

Murfreesboro Medical Clinic & SurgiCenter (MMC) based in Tennessee encountered a cyberattack that compelled the healthcare company to fully close operations for about two weeks to control the attack and reestablish its IT systems. It is usual for healthcare companies to carry out an emergency network shutdown to control a cyberattack and limit the damage done, and to work following emergency protocols with personnel recording patient data by hand while systems are inaccessible. With certain attacks, ambulances are redirected to other hospitals, and a few appointments are postponed to ensure patient safety, however. the interruption brought on by this attack was a lot more extensive.

The cyberattack happened on April 22, 2023 resulting in the quick shutdown of the network to control the attack. Third-party cybersecurity specialists helped with the investigation and recovery efforts. MMC stated the quick action done following the security breach restricted the problems caused. Work continued 24/7 to securely restore systems online and improve security measures. MMC together with cybersecurity specialists and authorities inspected the incident to find out the scope of the attack, and although those procedures were done, it was decided to shut down all operations. MMC prepared to have a limited reopening on May 3, 2023, then have complete operations soon after that; nevertheless, the restoration process took more time than intended.

The MMC Pediatric and Internal & Family Walk-In Clinics located on Garrison Drive reopened on May 4, 2023, however, all other clinics were closed. On May 5, 2023, all surgical procedures in its SurgiCenter, Gastroenterology treatments, Laboratory and Radiology services did not push through, MMC Now clinics stayed closed, though telephone lines were recovered. On May 6-7, MMC Pediatrics continued regular weekend operations, however MMC Now Family Walk-In Clinics and Laboratory and Radiology services stayed shut during the weekend. On May 8, 2023, operations continued to be limited, though a few scheduled consultations went ahead as intended, though MMC Now Family Walk-In locations and lab and radiology services stayed shut.

MMC is serious about keeping sensitive patient and worker data secure, however, like a lot of other companies throughout the country and in spite of its hard work, MMC is still a hot target of criminals trying to steal personal or company information. CEO Joey Peay of MMC stated that the company worked hard to communicate shutdowns with all individuals promptly utilizing all ways of communication available.

Although the precise nature of the cyberattack is not mentioned, this is known to be a ransomware attack with data theft. The impact on patient data is under investigation and MMC will make more announcements and give notifications as required when the investigation ends.

Data Breaches at Atlantic General Hospital, Lawrence General Hospital, OU Health and Other Healthcare Providers

A summary of data breach reports that were recently submitted to the HHS’ Office for Civil Rights, state Attorneys General, and the press.

Ransomware Attack at Atlantic General Hospital

Atlantic General Hospital (AGH) based in Berlin, MD, recently submitted a report of a ransomware attack to the Maine Attorney General that impacted roughly 30,704 people. AGH discovered the attack on January 29, 2023 after noticing the encryption of files. A third-party computer forensics firm helped with the investigation and confirmed the unauthorized access to files that contain patient data from January 20, 2023.

The analysis of the files was done on March 6, 2023, and it was confirmed that they included names, financial account data, Social Security numbers,
and at least one of these data types: treating/referring doctor, medical record number, medical insurance data, subscriber number, medical history data, or diagnosis/treatment details.

AGH mailed notification letters to the impacted persons on March 24, 2023. Impacted persons can avail a credit and identity monitoring services membership for one year for free. AGH gave its employees additional training and will implement more safety measures to stop the same attacks later on.

Hacking Incident at Lawrence General Hospital

Lawrence General Hospital based in Massachusetts just submitted a data breach report to the HHS’ Office for Civil Rights on February 23, 2023. Not much is known regarding the breach except that this hacking/IT incident affected 76,571 persons. As of March 29, 2023, the hospital has not yet published a notice on its website. Also, the breach is not yet posted on the Massachusetts Attorney General breach website.

Stolen Laptop Computer from OU Health

OU Medicine Inc. located in Oklahoma has submitted a breach report indicating that the protected health information (PHI) of 3,013 OU Health patients were affected. On December 26, 2022, the laptap computer of an employee was stolen. OU Health conducted an audit of the files believed to be stored in the laptop and confirmed on January 17, 2023 that unauthorized individuals may have accessed the emails that contained patient information like names, dates of birth, driver’s license numbers, account numbers, Social Security numbers, medical record numbers, names of provider, dates of service, medical insurance data, and diagnosis and treatment data.

Although there were no reported cases of patient data misuse, OU Health cannot exclude the possibility of unauthorized access to patient information. The healthcare provider notified all impacted persons and gave free credit monitoring services to those who had their Social Security numbers exposed.

Hacking incident at Majestic Care

Majestic Care provides community-based skilled nursing care across Indiana, Michigan, and Ohio. It reported a hacking incident last December 2022 that caused access problems to its IT systems. The provider detected the security breach on December 13, 2022, which resulted in making its information systems inaccessible up to December 16, 2022.

It was confirmed by a forensic investigation that the disruption was due to a malicious software program installed in its systems by an unauthorized person, who initially acquired access to the system on December 9, 2022. By February 3, 2023, the investigation also confirmed the likely unauthorized access to the system and extraction of files with personal data and PHI, such as names, birth dates, mailing addresses, phone numbers, driver’s license numbers, Social Security numbers, and data associated with the treatment and billing for healthcare.

The breach impacted 2,636 persons who got treatment services via Majestic Care Middletown Assisted Living LLC based in Indiana.

GoAnywhere Hacking Incident at Blue Shield of California

Blue Shield of California (BSC) has reported the theft of the PHI of 63,341 persons during a hacking incident. The zero-day vulnerability present in  the GoAnywhere Managed File Transfer-as-a-service (MFTaaS) program of Fortra was exploited.

BSC stated that it received notification about the breach on February 5, 2023, from Brightline Medical Associates. The company provides families and children with virtual behavioral health coaching and therapy. It was determined that there was a compromise in the file transfer application from January 28, 2023 to January 31, 2023. At that time, the attacker copied files that held sensitive data. These types of data were included in the files: name, date of birth, address, gender, phone number, Blue Shield subscriber ID number, e-mail address, plan group number, and plan name.

When Fortra discovered the breach, it immediately terminated unauthorized access to the system and took the application offline. Since then, the provider has applied the patch and rebuilt the application and gateway. BSC has given all impacted persons a free membership to credit monitoring and identity theft protection service by Experian IdentityWorks for 12 months.

The Clop ransomware group professed that it is responsible for the attacks and the data theft from 130+ companies, which include Community Health Systems.

GoAnywhere Hacking Incident at US Wellness Inc.

US Wellness Inc. based in Maryland has just reported that it was impacted by the GoAnywhere cyberattack, which led to the theft of the PHI of 11,459 members of the Blue Cross Blue Shield of Arizona.

US Wellness stated it detected the cyberattack on February 9, 2023. The following sensitive data were affected: names, addresses, dates of birth, where the services started, member ID numbers, and service locations. There was no misuse of the stolen information discovered. US Wellness stated it has taken steps to enhance security procedures to stop the same incidents later on. Impacted persons received notification regarding the breach on March 22, 2023.

Email Account Breach at Health Plan of San Mateo

Health Plan of San Mateo in San Francisco, CA recently reported an email account breach that led to the exposure and likely theft of the PHI of 4,032 plan members. The health plan discovered suspicious activity in its email environment on January 17, 2023. It was determined that an unauthorized person accessed an employee’s email account.

It is believed that the attacker accessed the account to change the employee’s direct deposit details and not to access plan member information. Nevertheless, unauthorized access to PHI cannot be excluded. The email account had a spreadsheet with names, dates of birth, member ID numbers, and some information about calls to the nurse advice line. Extra security procedures had been put in place to avoid the same incidents later on. Employees got additional training on identifying phishing attempts.

 

Exposure of Protected Health Information in 6 Recent Cyberattacks

Independent Living Systems, LLC (ILS), Florida Medical Clinic, Denver Public Schools, NorthStar Emergency Medical Services, The Bone & Joint Clinic, and Wichita Urology Group have lately reported cyberattacks resulting in the exposure and possible theft of protected health information (PHI).

Independent Living Systems

Independent Living Systems, LLC (ILS) based in Miami, FL provides managed care organizations with third-party administrative services. It recently notified the Maine Attorney General that it encountered a data breach that impacted approximately 4,226,508 people – the biggest healthcare data breach to date this 2023.

Based on the breach notification, ILS discovered suspicious activity inside its computer network on July 5, 2022. Third-party cybersecurity professionals helped ILS confirm that unauthorized people gained access to its system from June 30, 2022 to July 5, 2022, and obtained files that contain sensitive information.

ILS performed a detailed analysis of all impacted files and was given the findings of the analysis on January 17, 2023. ILS then confirmed those results and got updated contact details of the impacted persons who will be sent notification letters.

The data compromised included names, birth dates, addresses, state ID numbers, taxpayer ID numbers, Social Security numbers, financial account details, Medicaid/Medicare IDs, diagnosis codes/diagnosis data, dates of admission/discharge, mental/physical conditions, treatment details, food delivery data, prescription data, billing/claims details, and medical insurance data. The types of data differed from one person to another.

The impacted persons had earlier received services straight from ILS, through its covered entity subsidiaries: HPMP of Florida Inc (doing business as Florida Complete Care), and/or Florida Community Care LLC, or from other health plans/data owner clients.

On September 2, 2022, ILS stated it included an initial notice on its website, however, it did not issue notification letters until the analysis and validation process was done. Notification letters were sent to impacted persons on March 14, 2023. Impacted persons were provided free credit monitoring services.

ILS stated it was working on applying extra safety measures to stop more cyberattacks, which include strengthening its firewall, changing complexity prerequisites for credentials, applying extra internal security processes, updating its employee training practices, and giving its employees more training.

Florida Medical Clinic

Florida Medical Clinic has lately reported that it encountered a ransomware attack. The healthcare provider discovered the attack on January 9, 2023, and took immediate action to control the attack, which minimized data exposure, even though files were encrypted. The third-party forensic investigation revealed the attacker viewed files that included patients’ PHI; nevertheless, the electronic medical record system of Florida Medical Clinic wasn’t impacted.

In a comprehensive breach notice, Florida Medical Clinic mentioned that 94,132 files were compromised, each of which just included minimal patient data. 95% of the exposed files just contained a person’s name. The remaining files contained names, telephone numbers, birth dates, email addresses, and addresses. There was no financial data compromised, and just 115 Social Security numbers had been compromised.

Florida Medical Clinic stated it has proof of permanently deleting all stolen files, which implies the attacker received ransom payment. There was no proof found of patient data misuse. The healthcare provider sent notifications to all impacted patients and implemented extra cybersecurity measures to stop more attacks, which include changing selected system components and altering remote access practices.

The incident is not yet posted on the HHS’ Office for Civil Rights breach website. Hence, the number of affected patients is still uncertain.

The Bone & Joint Clinic based in Wisconsin

The Bone & Joint Clinic manages 7 clinics located in Wisconsin. It recently informed present and past workers and patients concerning a cyberattack that was discovered on January 16, 2023 and the resulting network disruption. As per the notification letters, unauthorized persons possibly viewed and obtained files that contain data for instance names, addresses, telephone numbers, dates of birth, Social Security numbers, medical insurance data, and diagnosis and treatment data.

Impacted persons received notification letters on March 7, 2023, and free credit monitoring and identity theft protection services for 12 months. The breach report has been submitted to the HHS’ Office for Civil Rights indicating that 105,094 individuals were affected.

NorthStar Emergency Medical Services

NorthStar Emergency Medical Services based in Tuscaloosa, AL recently announced a data breach that impacted around 82,450 patients. Based on the notification submitted to the Maine Attorney General, the provider discovered suspicious activity inside its computer system on September 16, 2022; nevertheless, it confirmed the exposure of patient data only on March 8, 2023. There is no mention in the breach notice about the time when the attackers initially acquired access to its system.

The impacted files included data like names, Social Security numbers, dates of birth, patient ID numbers, treatment data, Medicaid/Medicare numbers, and medical insurance data. NorthStar Emergency Medical Services sent notification letters to the affected persons on March 14, 2023. It also offered free credit monitoring and identity theft protection services to impacted persons and took steps to toughen security.

Denver Public Schools

Denver Public Schools has lately reported that unauthorized persons acquired access to some parts of its servers and extracted files that included sensitive employee information. The school discovered the data theft on January 4, 2023. The forensic investigation affirmed that unauthorized persons got access to its system from December 13, 2022 to January 13, 2023.

The document analysis showed that the impacted files contained names, fingerprints (if included in the file), pay card numbers/bank account numbers, Social Security numbers, driver’s license numbers, student ID numbers, passport numbers, and a number of health plan enrollment details. The breach report was submitted to the HHS’ Office for Civil Rights as including the PHI of 35,068 present and past contributors in its employer-financed health plan. The number of students affected by the data breach is uncertain. Denver Public Schools stated extra security measures were put in place to stop the same breaches later on. Denver Public Schools is providing credit monitoring and identity theft protection services to impacted persons.

Wichita Urology Group

Wichita Urology Group in Kansas has lately informed 1,493 persons about the unauthorized people who acquired access to its system and possibly accessed or acquired files that contain names, prescription data, billing data, and medical insurance details.

Suspicious activity was noticed inside its system on January 3, 2023. The forensic investigation confirmed that the attack happened on January 2. Then, on January 26, 2023, the forensic investigation confirmed the exposure of PHI; nevertheless, there was no observed patient data misuse. Technical safety procedures were improved to avoid more attacks.

 

PHI Breached in Four Recent Malware and Ransomware Attacks

Data of Teijin Automotive Technologies Welfare Plan Members Exposed in December Ransomware Attack

Teijin Automotive Technologies has lately reported potential access and theft of the protected health information (PHI) of 25,464 members of its welfare plan due to a ransomware attack on December 1, 2022. Teijin Automotive Technologies talked openly regarding the attack and what caused it. The attacker circumvented its security systems during a phishing attack. On November 30, because one employee clicked a link in a phishing email, the threat actor was able to steal login credentials, breach the firm’s servers, and install ransomware the next day. The company controlled the ransomware attack on December 5, 2022.

The IT team took prompt action to avoid any more unauthorized access. The FBI and law enforcement received notification immediately and provided help with the incident investigation. The analysis of the breached servers showed they included data associated with Teijin Automotive Technologies’ welfare plan i.e. names, addresses, dates of birth, Social Security numbers, medical insurance policy data, and banking details for a limited number of members. Teijin Automotive Technologies believes that no medical information was saved on the impacted servers.

The security and privacy of personal employee data and the business details of its clients is important to Teijin Automotive Technologies. CEO Chris Twining expressed regrets about the occurrence of the incident and apologized to its employees, clients, and impacted persons. The company has taken the following extra steps to reinforce its data security: improving its security processes, making an investment in new technology, and giving employees additional training. Teijin Automotive Technologies has notified the affected persons and offered credit monitoring services.

Malware Attack Reported by Arizona Health Advantage

Healthcare provider Arizona Health Advantage based in Chandler, AZ, also known as Arizona Priority Care and AZPC Clinics, LLC in the business community, recently reported the discovery of malware on its network. Because of the incident, some of the servers became inaccessible. Unauthorized persons were able to access and extract patient data as well as health plan member information.

The company discovered the security incident on December 5, 2022, because employees could not access files on a few of its servers. With the assistance of a third-party computer forensics firm, the investigation confirmed the breach with the attack happening between December 1 and December 2. The attackers exfiltrated files that included the information of patients and members of these health plans: Alignment Health Insurance Company of Arizona, Inc., Alignment Health Plan of Arizona, Inc., Blue Cross Blue Shield of Arizona, WellCare Health Plans of Arizona, Inc. (Centene), and Health Net of Arizona, Inc. (Centene).

The types of information affected differed from one person to another. They might have involved names, birth dates, addresses, treatment dates, treatment details, health plan member numbers, service authorization numbers, and other personal data. Impacted persons received notifications and offers of membership to a credit monitoring service for one year. Extra security measures and practices have already been carried out to secure against attacks later on. As per the HHS’ Office for Civil Rights, the PHI of 10,978 persons was possibly exposed.

Garrison Women’s Health Reports Patient Data Access Due to Malware

Garrison Women’s Health based in Dover, NH, a division of Wentworth-Douglass Hospital, has just reported the potential theft of the PHI of 4,158 patients in a cyberattack involving Global Network Systems, its business associate.

Global Network Systems, a company offering technology services, discovered the cyberattack on December 12, 2022. As a result, a network breakdown made its systems inaccessible. The investigation revealed that an unauthorized third party had accessed Global’s network for 8 months. It was initially accessed on April 29, 2022.

Garrison Women’s Health stated the attack destroyed files in its electronic health records. Global wasn’t able to recover that information, which it hosted. The corrupted information was associated with patients who got healthcare services from April 29, 2022 to December 12, 2022, and contained health and treatment details, coding, claims information, insurance details, payment data, doctor notes, and scheduling details.

Garrison Women’s Health stated it could not recover the corrupted information from backup copies, however, it was possible to regain access to the data stored in certain radiology and ultrasound apps. After looking into other possible backup sources, Garrison was able to bring back its electronic medical record system and restore information before April 28, 2022.

Although the incident report did not mention it was a ransomware attack, it got the distinctions. Garrison Women’s Health stated it doesn’t believe there was any patient data misuse, though impacted persons were instructed to keep an eye on their accounts and Explanation of Benefits statements for suspicious transactions.

Although there was confirmed data loss, Garrison Women’s Health explained that part of the lost data was probably copied and kept by a patient’s primary care doctor, hospital, or other companies, or may have been acquired by the health plan of the patient.

Riverside Health System Data Exposed Due to Malware Attack on Intelligent Business Solutions

Intelligent Business Solutions (IBS) has lately began issuing notifications to Riverside Health System’s cardio-thoracic patients to tell them that some of their personal data and PHI were potentially viewed or stolen. IBS detected a security breach on or around November 14, 2022 after identifying suspicious activity inside the IBS system. The forensic investigators determined the use of malware to encrypt files on selected servers and systems. The breach occurred between November 10, 2022 and November 15, 2022.

The analysis of the impacted files showed they included these data types: name, birth date, medical insurance data, medical treatment details, and procedure details. Although data was likely stolen, IBS did not receive of any report of actual or attempted improper use of the stolen data. IBS stated it had comprehensive guidelines, procedures, and cybersecurity defenses set up, however, it could not stop the attack. Those cybersecurity procedures are under review and will be revised, as needed, to minimize the probability of more attacks. Impacted persons received offers of free memberships to identity theft protection and credit monitoring services for two years.

NortonLifeLock Alerts Customers Regarding Possible Password Manager Breach

Just a couple of weeks after LastPass reported the theft of a copy of users’ encrypted password vaults by hackers, there’s another news of a password manager data breach. NortonLifeLock has just informed around 6,450 persons that unauthorized individuals accessed their accounts putting their Password Manager accounts in danger.

Gen Digital, the owner NortonLifeLock, detected account breaches on December 12, 2021, after its breach detection system began creating notifications about a high number of unsuccessful login attempts. Based on the investigation, LifeLock users’ accounts are under a credential stuffing attack beginning on or about December 1, 2022.

NortonLifeLock reported that its systems stay secure and were not hacked, however, user accounts were exposed to unauthorized access. NortonLifeLock stated the breached accounts included data like first and last names, telephone numbers, and mailing addresses. NortonLifeLock could not confirm whether users’ Password Manager accounts were compromised but cannot exclude the probability that the hackers could have verified users’ logon credentials and accessed the password vaults. This is more possible in case users’ Password Manager keys were the same as their Norton account passwords.

A credential stuffing attack is an attack on accounts that entails trying several combinations of passwords that were extracted from data breaches at services with no association. Hackers put together password listings from several data breaches and attempt to utilize those credentials to access accounts on some other platforms. These attacks entail utilizing identified username and password combinations hoping that users have used similar information again on other platforms.

NortonLifeLock did a reset of passwords for all impacted accounts and implemented extra measures to defend against the attempts of unauthorized third parties. Affected users were instructed to change their Norton passwords right away, and the passwords of all other accounts including all passwords contained in the impacted users’ Password Manager accounts. Norton accounts with unique passwords were not impacted.

Account breaches like this are very common and become successful because of bad password practices. It can help to use a password manager for better security, nevertheless, it only works if password best practices are adopted. A password manager may have all the user’s account passwords, sensitive data including credit card information, and private files. Hence, it is important for the user to set a long, difficult, and unique password on the password manager and switch on two-factor authentication. It is highly recommended to use a passphrase with a minimum of 12 characters.

Cyberattacks Announced by Heartland Alliance and CentraState Medical Center

Heartland Alliance located in Chicago, IL, a social justice and human rights organization, reported on December 15, 2022, that it encountered a cyberattack. The organization discovered the security breach on January 26, 2022, and took quick action to protect its systems and stop continuing unauthorized access. A top-rated third-party cybersecurity company investigated the occurrence.

It was affirmed by Heartland Alliance on April 27, 2022 that an unauthorized person acquired access to its system and possibly accessed or acquired files that contain sensitive personal data. A long evaluation process was then started to find out the scope of the data breach and to acquire updated contact data for the impacted persons. That whole process was finished in December 2022.

Heartland Alliance has affirmed that the protected health information (PHI) of patients who got medical care or took part in other Heartland programs was likely exposed, together with the personal details of workers, directors, and indie contractors. The information involved differed from person to person and might have involved one or more of these data elements: names, birth dates, driver’s license numbers, bank account numbers, Social Security numbers, and health data. Heartland Alliance stated it isn’t aware of any attempted or actual misuse of the compromised information.

The organization issued notification letters to impacted people on December 15, 2022, and provided an identity and credit monitoring service for 12 months. Heartland Alliance has additionally confirmed that it has improved its IT security solutions to avoid identical security incidents later on.

CentraState Medical Center is Encountering Disruption Following the December Cyberattack

CentraState Medical Center based in Freehold, NJ is struggling with a cyberattack that happened on or about December 30, 2022. The medical center detected the cyberattack at the time of a change in shift at approximately 7 am when computer programs began to break down. As a safety measure, the medical center started full diversion, with ambulances instructed to substitute facilities whereas the reason for the IT system breakdown was looked into.

Tom Scott, who is the President and CEO of CentraState Medical Center, has affirmed that the interruption was because of a cyberattack that impacted selected IT systems. Systems were quickly separated to control the attack. An investigation into the attack was to find out the nature and extent of the breach. Workers recorded patient information using pen and paper while the IT systems are not working, and extra employees were brought in to take care of the increased workload.

CentraState Medical Center gave additional information on January 3, 2023, stating that the typical top quality of patient care is being observed, however, certain services at the medical center remain affected, which include mammography, outpatient radiology, radiation therapy, laboratories, and catheterization laboratory services. Appointed inpatient operations push through as usual, nevertheless, a number of outpatient visits were canceled or rebooked.

No schedule was given on when systems shall be completely restored, and no data was shared on the precise nature of the incident. It is furthermore uncertain at this early point of the investigation whether, and to what magnitude, patient data was affected.

Scripps Health Offers to Pay $3.5M to Settle Class Action Lawsuit Over Ransomware Attack

Scripps Health based in San Diego proposed to settle a combined class action lawsuit regarding Scripps Health Data Incident Litigation – to take care of all claims associated with its ransomware attack in 2021.

In April 2021, Scripps Health experienced a ransomware attack and reported it to the Department of Health and Human Services indicating that 147,267 patients were affected. The attack resulted in a big trouble at Scripps Health hospitals. Ambulances were redirected and booked appointments were cancelled. The employees used pen and paper to record patient data for about a month while the health system repaired its IT systems.

The investigation confirmed that the attackers stole patient records from its system on April 29, 2021, which held PHI like names, driver’s license numbers, Social Security numbers, and medical data, such as data kept in health records. The ransomware attack was extremely expensive for Scripps Health. Based on its financial statements, the attack resulted in roughly $113 million in lost income.

Scripps Health faced multiple lawsuits filed in the San Diego County Superior Court on behalf of the ransomware attack victims after the data breach. The lawsuits assert Scripps Health did not employ and retain enough security procedures to secure patient data and lacked guidelines and procedures for discovering and remediating cyberattacks, in spite of knowing the high threat of an attack.

The plaintiffs claim they endured lost time, irritation, interference, and difficulty because of the data breach, which include being kept from logging into the MyScripps patient website, which is employed by patients to view their healthcare data, ask for prescription refills, take care of appointments, and connect with doctors. The lawsuits wanted damages, repayment of out-of-pocket expenditures, and injunctive relief, demanding Scripps Health employ enough security procedures to better secure patient information later on.

Scripps Health did not admit to any wrongdoing and doesn’t take responsibility for the cyberattack and data breach. It was decided to negotiate the lawsuit to avoid more legal costs, prevent the uncertainty of trial, and take care of all claims associated with the data breach. Based on the conditions of the settlement, class members may submit a claim of around $100 which is governed by a pro-rata increase based on the number of claims acquired. Additionally, class members may submit claims for recorded common and extraordinary deficits. The settlement amount is likely to go over and above $3.5 million.

Claims for repayment of common out-of-pocket are allowed up to $1,000 max for each class member. Ordinary losses consist of card re-issuance fees, unreimbursed bank fees, overdraft fees, over-limit fees, phone charges, expenses of credit reports, and related losses that may be fairly tracked to the ransomware attack.

Extraordinary losses pertain to those whose identity theft is quite traceable to the ransomware attack and was experienced from April 29, 2021, to March 23, 2023. To be eligible for compensation for extraordinary losses, class members should have made sensible efforts to prevent experiencing losses and to have worn out particular paths for recuperating ruin associated with identity theft.

Class members wanting to leave themselves out of the negotiation or refute it can do up to March 8, 2023. The final day for submitting claims is March 23, 2023. The last approval exercise is on April 7, 2023.

As much as 254,000 Medicare Beneficiaries Affected by CMS Subcontractor Ransomware Attack

On November 14, 2022, Health Care Management Solutions (HMS) based in Fairmont, WV submitted a data breach report to the HHS’ Office for Civil Rights that affected around 500,000 people. Back then, minimal details regarding the breach were disclosed. Now, it is confirmed that HMS encountered a ransomware attack on October 8, 2022.

Being a subcontractor of ASRC Federal Data Solutions, LLC (ASRC Federal), HMS is a business associate of the HHS’ Centers for Medicare and Medicaid Services (CMS). It provides services that include fixing system problems linked to beneficiary entitlement and premium payment files and helping with the collection of Medicare premiums from direct-paying beneficiary individuals.

The CMS stated the HMS does not manage Medicare claims data therefore no claims information was impacted and CMS systems were not breached; nevertheless, the cybercriminals liable for the attack may have seen the personally identifiable information (PII) and/or protected health information (PHI) of Medicare beneficiaries. The CMS states around 254,000 Medicare beneficiaries were potentially affected and had a few of their PII and PHI exposed.

The information compromised and possibly stolen in the attack included names, dates of birth, addresses, phone numbers, Social Security numbers, Medicare beneficiary identifiers, banking details, and Medicare entitlement, enrollment, and premium details. The CMS is sending breach notification letters to impacted beneficiaries of Medicare and mentioned they will be provided with updated Medicare cards along with new beneficiary identifiers. Free credit monitoring services are provided.

In October 2022, HMS suffered a cybersecurity incident resulting in unauthorized access to its network which impacted selected systems. HMS took action immediately and shut down its system so as to limit the incident. According to an HMS spokesperson, top external cybersecurity specialists were hired to investigate the incident, which stays ongoing. HMS takes patient privacy seriously, and regrets any issue this incident might have prompted in the community and will alert affected persons as per legal and contractual obligations.

HMS informed the CMS concerning the ransomware attack on October 9, 2022. On October 18, 2022, the CMS affirmed with certainty that Medicare beneficiary records were involved. Since then, the CMS is working with the contractor to know which people were affected. The investigation of the ransomware attack by CMS is in progress, however, the initial data suggests HMS was in violation of its commitments to CMS. The CMS stated it is not aware of any attempted or actual misuse of the PHI and PII of Medicare beneficiaries.

CMS Administrator Chiquita Brooks-LaSure mentioned that the protection and security of beneficiary data are of the highest importance to the agency. It is still assessing the impact of the breach concerning the subcontractor, assisting in support to persons possibly impacted by the incident, and will do all necessary actions to protect the data entrusted to CMS.

Data Breaches at Receivables Performance Management and Acuity Brands

Acuity Brands based in Georgia and Receivables Performance Management based in Washington recently announced data breaches. The latter’s data breach has impacted over 3.7 million persons.

Receivables Performance Management

Receivables Performance Management (RPM) in Lynnwood, WA, a business associate of a few HIPAA-covered entities, has just commenced informing folks affected by a 2021 ransomware attack. RPM detected the attack on May 12, 2021 and its investigation affirmed the first breach of its network on April 8, 2021. Nevertheless, file encryption just began on May 12.

RPM stated it was able to block the attack and recover its systems in just 36 hours and got a computer forensics agency to look into the breach and find out the nature and extent of the attack; nevertheless, the types of data and people impacted were identified only on October 2, 2022. RPM mentioned that the long duration of investigating the attack was a result of the infrastructure complexities of RPM’s server. RPM stated it got confirmation that the information is not under the control of the third party(ies) connected to this incident.

RPM mentioned personal data was likely exposed, which include Social Security numbers. Impacted persons are being given free credit monitoring services. RPM stated it is working together with security professionals to strengthen its defenses to stop the same breaches down the road. At this point, the number of individuals affected by the breach is not yet certain. The breach report sent to the Maine Attorney general reveals a total of 3,766,573 people were impacted, with roughly 500,000 of those persons living in Texas. The breach is not yet published on the HHS’ Office for Civil Rights breach website.

Acuity Brands Data Breach

Lighting and building management company Acuity Brands based in Georgia reported that unauthorized persons got access to its system from December 7 to December 8, 2021, and extracted a number of files. During the breach investigation, Acuity Brands identified a prior security breach that happened from October 6 to October 7, 2020, and in that prior incident, unauthorized persons had tried to duplicate the files from its database.

An analysis of all files possibly accessed in the two incidents revealed that the files held the data of present and past health plan members and workers. The incident only affected the data of employees. No client data was exposed.

The two incidents prompted the exposure and potential theft of files comprising names, driver’s license numbers, Social Security numbers, financial account details, and some medical health data associated with other facets of a person’s occupation with Acuity, for example, injury data associated with employees compensation claims, or associated with leave requests covered in the Family and Medical Leave Act. The kinds of data involved differed from one person to another. Free memberships to credit monitoring services are being provided to qualified persons. Extra safety measures were enforced to avoid even more data breaches.

The incidents are not yet posted on the HHS’ Office for Civil Rights breach website, therefore it is presently uncertain how many persons were impacted.

Data Breaches at One Brooklyn Health System and Mena Regional Health System

One Brooklyn Health System is presently handling a cyberattack that has prompted interruption at its three hospitals – Brookdale Hospital Medical Center, Kingsbrook Jewish Medical Center, and Interfaith Medical Center. Not much information was published concerning the attack to date, which is thought to have happened on or prior to November 19. The health system shut down its system on this date and stayed offline for over one week.

The New York Post announced that the cyberattack has kept hospital personnel from being able to access the electronic medical record system, therefore patient data was recorded with the use of pen and paper and the hospitals adopted emergency protocols. It was decided to redirect ambulances to other hospitals, even though contact with other hospitals in the community seems to be non-available. The health system likewise reportedly didn’t inform New York Fire Department ambulance services that it will send its emergency cases to alternate hospitals.

The hospital has involved third-party specialists to help look into the nature and extent of the cyberattack and to help with restoring IT systems on the internet. Some systems are actually accessible online and there is restricted access to its electronic medical record system as well as some other medical software. One Brooklyn Health released a statement stating that the security breach did not affect patient care and although ambulances were redirected, appointments were not canceled. At this period of the breach response, it’s still early to say whether patient data was affected and to what extent.

More or Less 85,000 Patients Affected by Mena Regional Health System Breach

Mena Regional Health System (MRHS) based in Arkansas reported on November 22, 2022, the access and exfiltration of files with 84,814 patients’ protected health information (PHI) by an unauthorized third party.

MRHS didn’t mention in its substitute breach notice the date of the initial network access by the hacker. However, the intrusion was identified on November 8, 2022. According to the investigation, files were extracted from its system over a year ago, on or about October 30, 2021. MRHS offered no clarification regarding why it took a long time to identify the breach.

The analysis of the files affirmed the includion of complete names, birth dates, Social Security numbers, government ID numbers/driver’s license, financial account details, health record/patient account numbers, medical diagnosis/treatment data, medical company names, laboratory results, prescription data, and medical insurance information.

MRHS stated it did not know of any actual or attempted patient data misuse and that as a safety precaution, it sent notification letters to impacted persons. That process started on November 22, 2022. Those who had their Social Security numbers exposed received free credit monitoring services. Security processes are under review and will be modified to protect the privacy and security of patient data.

10 Charged With BEC Scams Targeting Medicare, Medicaid, and Private Insurance Organization

The U.S. Department of Justice has accused 10 people of business email compromise scams that led to losses of over $11.1 million from Medicaid, Medicare, and private medical insurance plans. The payments were for hospitals for delivering covered healthcare services.

Business email compromise (BEC) scams entail getting access to real email accounts and utilizing them to fool persons in charge of wire transfers into transmitting fraudulent payments to accounts controlled by the threat actor. These scams are the number one reason for losses to cybercrime. As per the FBI, over $43 billion was forfeited to these scams from June 2016 to December 2021. In 2021 only, the FBI Internet Crime Complaint Center got reports of losses due to BEC scams totaling $2,395,953,296.

The arrests were associated with a string of frauds that spoofed hospital email accounts. The persons purportedly engaged in these attacks sent email messages asking for to make modifications to the bank account information on file for all payments down the road. The accounts were lately created by money mules, who would take the money as soon as the transfers were done. The money was then laundered via fake and stolen identities and shell firms. The cash was transmitted overseas and was utilized to buy luxury products and exotic cars. Two Medicare Administrative Contractors, and five Medicaid programs, and two private health insurance companies were fooled into altering the bank account particulars for payments.

7 people were just charged in association with these scams, all of whom were locals of Georgia and South Carolina. They were

  • Biliamin Fagbewesa, 31 years old from Columbia, South Carolina
  • Desmond Nkwenya, 35 years old from Atlanta, Georgia
  • Patrick Ndong-Bike, 32 years old from Atlanta, Georgia
  • Cory Smith, 29 years old from Atlanta, Georgia
  • Olugbenga Abu, 45 years old from Atlanta, Georgia
  • Chisom Okonkwo, 26 years old from Atlanta, Georgia
  • Trion Thomas, 50 years old from Stone Mountain, Georgia

The other three persons were formerly accused of their money laundering activities. They were

  • Adewale Adesanya, 39 years old from Jonesboro, Georgia
  • Sauveur Blanchard Jr., 49 years old from Richmond, Virginia
  • Malachi Mullings, 29 years old from Sandy Springs, Georgia

Medicare, Medicaid, and private medical insurance providers experienced losses of over $4.7 million. Federal government institutions, private businesses, and individuals suffered $6.4 million in losses. 9 of the defendants are facing maximum prison terms of 20 or 30 years in case found guilty. Adewale Adesanya confessed to conspiracy to commit money laundering and to the usage of a bogus passport, having laundered around $1.5 million from the BEC scams targeting Medicaid, the IRS, a private firm, the Small Business Administration (SBA), and two senior romance scam victims. His punishment is 4 years in prison on September 15, 2022.

These accusations show a brazen attempt to siphon funds, partly, from vital health care services to finance personal gain, stated the U.S. Department of Health and Human Services Office of Inspector General (HHS-OIG) Deputy Inspector General for Investigations Christian J. Schrank. A major concern of HHS-OIG is the reliability of programs like Medicare and Medicaid, and therefore it is the uttermost priority to go after people who financially take advantage of them. This synchronized action is a perfect example of the dedication that HHS-OIG and our police partners to protect the federal healthcare system from fraudulence.

Around 1.2 Million Patients Affected by Ransomware Attack on Puerto Rico Hospital

Doctors’ Center Hospital located in Puerto Rico has just informed the Department of Health and Human Services Office for Civil Rights (OCR) about the hacking/IT incident it has experienced and the potential compromise of the protected health information (PHI) of 1,195,220 patients.

The hospital’s website has not published any notification concerning the incident yet as of November 23, 2022. Therefore, Doctors’ Center Hospital has not publicized any detail about the nature of the attack yet. But all existing information suggests that the incident was a new attack, and the hospital is still trying to bounce back from it.

Databreaches.net looked into the incident and discovered a somewhat unknown ransomware gang named Project Relican accessed the data leak website and claimed accountability for the cyberattack. The Project Relic dark web data leak website posted 114 MB of the 211 GB of data that was stolen during the attack.

A report written by Blackpoint’s Adversary Pursuit Group talks about the group, which states that the new ransomware group was not well-known one month ago, however, it has carried out several attacks. It is believed that the group just began its operations in October 2022. As per Blackpoint, the ransomware is written in Go because of its ease of mobility, speed, and the little possibility of it being noticed by static exploration. The group is recognized to connect with victims through a customized chat program on the Tor network to make a deal on ransoms and the group posts stolen information when the ransom is not compensated when they’re due.

One partner of Blackpoint encountered an attack and the group professed to have extracted 400 GB of information and demanded a ransom amount of 100 BTC or roughly $1,638,800. Blackpoint has examined the ransomware, however, it cannot determine at this time how the group could access victims’ networks.

Additional updates will be posted when it becomes available.

OakBend Medical Center and Keystone Health Face Lawsuits Over Data Breaches

OakBend Medical Center Cyberattack

OakBend Medical Center learned about the compromise of its systems and encryption of files on September 1, 2022. The hospital controlled the breach and blocked access to its network. A forensic investigation was carried out to find out the nature and extent of the cyberattack. The forensic investigation reported that the threat actors had extracted files that contain patient information. OakBend Medical Center stated entire healthcare records don’t seem stolen. The stolen information included names, contact details, birth dates, and Social Security numbers. The attackers known as Daixin Team claimed they stole information including 1 million patient documents, though Oakbend Medical Center has not confirmed this yet.

On October 28, 2022, the data breach impacted two patients, Alissa Wojnar and Ryan Higgs. Wojnar and Higgs took legal action because of the theft of their protected health information (PHI). Attorney Joe Kendall of Dallas, TX filed the lawsuit in the District Court for the Southern District of Texas. Allegedly, Oakbend Medical Center kept the private data of patients carelessly and did not appropriately keep track of its IT system. The lawsuit claims negligence, negligence per se, breach of fiduciary duty, breach of implied contract, unjust enrichment, invasion of privacy, and intrusion upon seclusion.

The plaintiffs assert they have sustained the loss of the benefit of their bargain, out-of-pocket expenditures, the value of their time that was spent on remedying and mitigating the impact of the attack, emotional stress, and the impending risk of potential problems due to the exposure of their sensitive personal data. The legal action wants class-action status, repayment of out-of-pocket expenditures, compensatory damages, and injunctive relief that calls for OakBend Medical Center to carry out extra security procedures to better secure patient information and to additionally give enough credit checking services to impacted individuals.

Keystone Health Cyberattack

Keystone Health uncovered the compromise of its network on August 19, 2022. After securing the systems, a forensic investigation was started to find out the extent of the attack. It was established that the attackers got access to its system from July 28, 2022 to August 19, 2022. At that time, the accessible sensitive patient information included names, clinical data, and Social Security numbers. The breach impacted 235,237 individuals, who received notifications on October 14, 2022.

The law agency Milberg Coleman Bryson Phillips Grossman, PLLCA filed the legal action in the District Court for the Middle District of Pennsylvania naming Jacob Whitehead as the plaintiff, for his son, a minor. The lawsuit claims Keystone Health did not appropriately protect and safeguard personally identifiable information (PII), and that the private data of patients were managed in a careless and negligent way that made it susceptible to cyberattacks.

The legal action claims negligence for not implementing minimum industry requirements for securing patient information and states Keystone Health did not satisfy its commitments as per the HIPAA Security Law as suitable safety measures were not applied to safeguard patients’ electronic protected health information (ePHI). The lawsuit additionally claims a breach of the HIPAA Breach Notification Rule for not appropriately notifying patients regarding the data breach.

The lawsuit states the plaintiff and others impacted by the data breach are currently at considerable risk of identity theft and different other types of personal, financial, and social harm. They claim an injury was suffered as they lost or reduced the value of their private data, out-of-pocket expenditures related to the avoidance, identification, and recovery from identity theft, tax scams, and/or unauthorized usage of their private data, lost time and opportunity, and a continuing and considerably higher risk of cyberattacks and fraudulence.

The lawsuit wants class-action status, damages, and equitable and injunctive relief, a jury trial, which includes a need for Keystone Health to make sure it has an efficient and extensive security plan, to go through independent security inspections and penetration tests, to have internal employees run automated security tracking, and to give employees security awareness training at least yearly.

Cyberattack on Michigan Medicine and Ascension St. Vincent’s Coastal Cardiology Brunswick

University of Michigan Health (Michigan Medicine) has lately announced the potential compromise of the protected health information (PHI) of around 33,850 patients due to a phishing attack. Michigan Medicine detected suspicious activity within its email account and took steps immediately to secure the accounts to stop further unauthorized access.

Michigan Medicine stated the phishing campaign happened between August 15 and August 23, 2022, resulting in the compromise of four email accounts. According to the breach notice of Michigan Medicine, employee email accounts were secured by multi-factor authentication when the attack happened. Four employees answered the phishing emails, clicked on a malicious site, revealed their Michigan Medicine login details, and replied to the multi-factor authentication prompts, therefore, their accounts were accessed.

The investigation of forensic experts uncovered no proof of data theft and it appeared there was no breach of accounts in order to acquire patient information; nevertheless, Michigan Medicine has supposed that all data in the accounts were exposed. The evaluation of the email accounts was done on October 17, 2022. Michigan Medicine already sent the breach notification letters.

The compromised accounts had job-related communications for patient coordination and care. The data in the email messages were different from one patient to another and possibly included names, together with one or more of the following types of information: date of birth, address, diagnostic and treatment details, and medical insurance data. Michigan Medicine mentioned it has put in place additional technical safeguards to its email system and the infrastructure to avert more identical incidents.

This is Michigan Medicine’s second email account breach report submitted this year. In late February, Michigan Medicine reported that a single email account with the PHI of 2,920 individuals had been breached. Michigan Medicine was likewise targeted in a phishing campaign in 2019, that resulted in the receipt of phishing emails by 3,200 employees. During that attack, three employees replied, leading to the exposure of the PHI of 5,466 patients.

Ransomware Attack on Ascension St. Vincent’s Coastal Cardiology Brunswick

Ascension St. Vincent’s Coastal Cardiology Brunswick based in Georgia has begun informing 71,227 patients concerning a security breach that impacted its old systems, which include its old electronic health record system. The healthcare provider discovered the incident on August 15, 2022, and immediately secured all systems to stop continuing unauthorized access; nevertheless, the encryption of selected files on those systems cannot be prevented. The investigation affirmed the attack was limited to its old systems and did not impact any Ascension networks or systems or its electronic medical system. The old Coastal Cardiology system was mainly employed to keep patient information to satisfy regulatory prerequisites and wasn’t employed for present business operations.

Ransomware attacks frequently entail data theft before files encryption; nevertheless, the forensic investigation did not find any proof that suggests the removal of any information from those systems. Based on the breach notice, there was no ransom paid, since the data can’t be decrypted. Therefore, it cannot be determined which types of data were encrypted. Ascension mentioned the systems could have comprised demographic and medical data associated with appointments at Coastal Cardiology before October 5, 2021. That data could have contained names, telephone numbers, addresses, email addresses, insurance data, clinical details, billing and insurance details, and Social Security numbers.

The affected individuals received free credit and identity theft protection services. Ascension stated it has performed a security risk analysis, realigned employee’s duties, eliminated access rights to the heritage system, and is giving additional training to its colleagues.

CommonSpirit Health System Breakdowns Due to Ransomware Attack

CommonSpirit Health encountered a data security incident on October 3, 2022. Its systems, which include its electronic medical record (EHR) and other crucial IT systems, were taken offline to avoid further damage, control the breach, and stop unauthorized access to sensitive information. CommonSpirit Health released a statement on the next day, explaining that the incident involved an IT issue causing system outages at a few of its hospitals and care centers. CommonSpirit Health is one of the biggest health systems and is the second-biggest non-profit health system in America. It has about 1,500 hospitals and clinics in 21 states. CommonSpirit Health was created from the CHI Health and Dignity Health merger in 2019.

After the security incident, hospitals and care facilities throughout the United States began reporting that they were impacted. This shows that the incident had an impact all over the country. Many CHI Health facilities reported they were impacted and implemented emergency procedures because they lacked access to critical IT systems. Hospitals located in Illinois, Iowa, Nebraska, Washington, and Tennessee all reported that they were affected by the incident.

CHI Health gave a statement about the impact of the CommonSpirit Health incident and that a number of CHI Health facilities had taken their systems offline as a safety measure. Because of patient safety issues, it was decided to end, delay, or reschedule a number of patient consultations and procedures, to temporarily suspend access to the patient portal, and to follow offline procedures for operations and handling prescription drugs.

These steps were essential to control the attack and stop the impact on systems; nevertheless, they are having a considerable effect on patients, who encounter slowdowns in getting health care. A lot of people are likewise having difficulties obtaining the medicines they require to deal with their medical conditions. MercyOne, the manager of 230 healthcare centers in Iowa, stated the incident shut down its online booking system, which has kept the system from being utilized to book online visits in Central Iowa.

A number of people claiming to be staff members and patients of CommonSpirit Health have expressed their concerns on social media websites. Patients have stated they could not get health care and prescribed medications, which include drugs for dealing with cancer at home. Persons claiming to be workers have mentioned having nightmares because of needing to use paper charts. A nurse shared on Reddit that employees at the hospital could not access the Downtime Epic EHR system to view patient records, and the pharmacy cannot confirm orders and needed to manually write labels. Labs were also handwritten and faxed. Eleven days have passed since the incident and the IT systems remain offline.

No information was released at first regarding the precise nature of the incident. However, security researcher Kevin Beaumont tweeted immediately after the incident that it was a ransomware attack as confirmed now by CommonSpirit Health.

CommonSpirit Health mentioned in a new update that the incident is a continuing occurrence and the response is being handled, with support provided by top-rated cybersecurity experts. The Department of Health and Human Services, law enforcement, and other government bodies were already informed about the attack and are giving assistance.

CommonSpirit Health mentioned that all throughout the response, the main concern is to continue to offer the best quality of patient care and make sure of patient safety. Ongoing forensic investigation is determining the scope of the attack and a systems review is being done to find out whether there was any information affected. That process may take a while and additional data will be accessible when results were taken from the investigation.

CHI Health facilities were impacted and are still dealing with disruption. According to CommonSpirit Health, it is doing everything to restore systems online and will reestablish services as soon as possible. CommonSpirit Health has stated that there was little effect on the systems utilized by Virginia Mason Medical Center and Dignity Health.

Data Breaches Announced by Wolfe Clinic, SERV Behavioral Health System and Reiter Affiliated Companies

Wolfe Clinic, P.C located in Iowa lately reported that it was impacted by the Eye Care Leaders’ data breach. The attack on the electronic medical record provider compromised the protected health information (PHI) of 542,776 present and past Wolfe Clinic patients.

Wolfe Clinic utilized the myCare Integrity medical records program, which an unauthorized party accessed on or about December 4, 2021. The attacker erased databases and system settings files. Forensic experts investigated the security breach, however, there was insufficient forensic evidence because of the removal of files. Hence, it cannot be determined if the attackers accessed or obtained the PHI of Wolfe Clinic patients. Potentially compromised information includes names, addresses, dates of birth, Social Security numbers, diagnostic data, and medical insurance data.

When issuing breach notifications, Wolfe Clinic did not receive any identity theft and fraud report associated with the data breach at Eye Care Leaders. Impacted persons were provided one year of free credit monitoring and identity theft protection services.

The data breach at Eye Care Leaders impacted about 40 eye care providers and led to the compromise of the PHI of approximately 3.6 million patients.

Reiter Affiliated Organizations Report Cyberattack in June 2022

Reiter Affiliated Companies, the biggest fresh, multi-berry manufacturer worldwide, lately affirmed that an unauthorized third party acquired access to its system from June 25, 2022 to July 4, 2022. The attack was identified on July 4, 2022, when selected systems became inaccessible. Immediate action was undertaken to protect its systems against continuing unauthorized access. An investigation was started to find out the nature and extent of the attack. It was confirmed by the forensic investigation that files were extracted from its systems at the time of unauthorized access, and those files involved the Health and Wellness Plan enrollment rosters with the names of plan members, birth dates, and Social Security numbers.

Impacted persons were informed by mail and were provided free credit monitoring and identity theft protection services. Reiter Affiliated Companies stated it took steps to enhance security and stop more data breaches later on.

Reiter Affiliated Companies, LLC’s breach report sent to the HHS’ Office for Civil Rights indicated that 45,000 people were affected. The Reiter Affiliated Health and Welfare Plan’s breach report indicated that 45,000 people were affected.

SERV Behavioral Health System Reports Cyberattack in May 2022

SERV Behavioral Health System located in New Jersey lately reported that it suffered a cyberattack whereby the PHI of 8,110 persons was likely exposed. The health system stated it discovered the attack on May 27, 2022, and conducted a forensic investigation that ended on August 4, 2022. SERV mentioned it did not find any proof of access or theft of any patient data during the attack. However, the possibility of data theft cannot be ruled out. The analysis of all files possibly exposed included names, contact details, driver’s license numbers, Social Security numbers, and health data.

The health system already notified the Impacted persons by mail and took steps to enhance security to prevent similar attacks. The Hive ransomware group professed to have launched the attack.

New York Ambulance Service Reports Ransomware Attack and Data Breach of 318K Records

The Ambulance Service in New York, Empress EMS (Emergency Medical Services), has reported a ransomware attack. Empress EMS detected the attack on July 14, 2022, and the files contained in selected systems were encrypted. Based on the notification posted on the company’s website, EMS took immediate steps to control the incident and engaged third-party forensics specialists to look into the attack.

According to the result of the forensic investigation, on May 26, 2022, the attackers initially acquired access to its system and on July 13, 2022, duplicated a small part of the files. Then, they deployed ransomware to encrypt the files on its system. A thorough analysis of the impacted files affirmed the inclusion of protected health information (PHI) like names, insurance details, dates of service, and Social Security numbers of a number of individuals.

Empress EMS already sent the data breach report to the HHS’ Office for Civil Rights indicating that up to 318,558 patients were affected. Empress EMS has informed all impacted persons and has instructed them to keep an eye on their healthcare reports for the correctness and told them that credit monitoring services will be provided to selected persons. Empress EMS mentioned that it took steps to reinforce system security to avoid the same occurrences down the road.

Empress EMS didn’t mention which group was responsible for the attack; nevertheless, the Hive ransomware group has professed its responsibility for the cyber attack. Databreaches.net acquired the copy of the ransom note and a part of the stolen information and stated that the files seem to include the PHI of the patients of Empress EMS. The Hive gang admits to having acquired the Social Security numbers of over 100,000 individuals, and customer data like home and email addresses, telephone numbers, passport numbers, payments, and working time. Employee information was likewise affected, together with NDAs, contracts, and other private company details.

During publication, the Hive group did not list the stolen information on the data leak website, however, some information was temporarily uploaded. Usually, when the victim does not pay the ransom, the group carries on its threat and posts the stolen information.

Study Reveals Growing Mortality Rate and Poor Patient Outcomes Following Cyberattacks

According to a recent study, over 20% of healthcare companies encountered a rise in mortality rate following a major cyberattack and 57% of the healthcare organizations mentioned they encountered negative patient outcomes as around 50% reported a rise in health complications. The most typical results of the attacks that led to negative patient outcomes were late procedures and testing.

The Ponemon Institute conducted the study together with cybersecurity agency Proofpoint. The study involved 641 healthcare IT and security professionals in America, with the results published in the reports Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care. The results reflect those of an earlier study performed by the Ponemon Institute in 2021 with Censinet. The study involved 597 healthcare participants and 22% said they encountered higher mortality rates after a ransomware attack.

The most recent study applied a wider cyberattack definition, including the four most popular types of attack – ransomware, cloud compromise, supply chain, and business email compromise/phishing, and consequently suggests it isn’t just ransomware attacks that adversely impact patient outcomes. Ransomware attacks cause file encryption that can make critical IT systems inaccessible. Quite often healthcare companies have to deactivate IT systems to control an attack. The time it takes to recover from a ransomware attack is usually more than other kinds of attacks. The survey established that ransomware attacks got the greatest effect among the four types of attacks. 64% of healthcare companies stated they encountered delays in medical testing and procedures after a ransomware attack and 59% stated the attacks caused extended patient stays.

It must be mentioned that the two studies proved the relationship between cyberattacks and unfavorable patient outcomes however didn’t show causation. More studies must be done to determine precisely what facets of the attacks have the greatest adverse effect on patient results and cause a rise in mortality rate.

The attacks that were analyzed had substantial pressure on healthcare company resources. Their result isn’t just incredible cost but in addition, an immediate effect on patient care, jeopardizing the safety and wellness of people. The majority of the IT and security experts consider their companies as susceptible to these attacks, and 66% think that increased adoption of technologies including cloud, mobile, Internet of Things, and big data leads to more risks to patient information and safety.

The Proofpoint survey additionally revealed the magnitude of attacks on healthcare companies. 89% of surveyed companies encountered about 43 attacks during the last 12 months, though the degree of successful attacks is not clear. Cyberattacks on healthcare companies have a substantial financial effect. An earlier study, done by the Ponemon Institute with IBM Security, discovered the cost of a cyberattack on average has grown to $4.4 million. The healthcare sector got the top breach costs among all industries, with the cost of a healthcare data breach on average increasing to $10.1 million.

Challenges in Healthcare Cybersecurity and the Biggest Security Threats

One of the major problems encountered by healthcare companies is getting the required talent to protect against attacks. 53% of respondents rated insufficient in-house competence as a major challenge. 46% mentioned they didn’t have enough workforce in cybersecurity and the two factors had an adverse impact on the security posture of organizations.

Respondents have questioned their greatest security issues and one of the primary concerns was medical device safety. Healthcare companies have 26,000 medical devices linked to the internet, and these were regarded as a cybersecurity threat by 64% of respondents, however only 51% of respondents mentioned these devices are included in their cybersecurity method.

75% of survey respondents stated they were vulnerable to cloud compromise, and 72% stated they were susceptible to ransomware attacks. 54% of companies mentioned they had encountered a cloud compromise in the last two years, with those companies going through about 22 of that sorts of compromises; nonetheless, 64% of companies stated they took steps to get ready for and respond to those cyber attacks.

60% of companies stated they were most worried about ransomware attacks, and 62% stated they took steps to avoid and react to ransomware attacks.

71% of companies mentioned they were susceptible to supply chain attacks and 64% were susceptible to BEC and phishing/spoofing attacks, but just 44% and 48% mentioned they had recorded response plans for these attacks.

Protecting Against Healthcare Cyberattacks

More cyberattacks on the healthcare sector are becoming sophisticated. In order to secure against these attacks, an in-depth strategy with several overlapping protection layers is necessary. It is additionally essential to have a recorded and practiced incident response plan set up for every major kind of attack. Not being ready to respond to cyberattacks could put patient safety in danger. With an incident response plan set up, where all people engaged in the response understand their roles and duties could limit the recovery time substantially, which restricts the unfavorable effect on patients and minimizes the financial expense. Having consultants and cybersecurity companies that completely know the infrastructure of a company is a big edge and makes certain the quickest possible response in case of a successful cyber attack.

Although cyberattacks could be sophisticated, they frequently begin with phishing or social engineering attack. The significance of employee training can’t be over-emphasized. All workers ought to know why good cyber hygiene is important and what it involves, and they must be trained on how to identify phishing and social engineering attacks. Providing employees with regular cybersecurity awareness training and doing phishing simulations could considerably minimize risk with time.

Healthcare has usually lagged behind other industries when dealing with vulnerabilities to the increasing cybersecurity attacks, and this inactivity has a direct adverse effect on patients’ safety and wellness. So long as cybersecurity is not a high priority, healthcare companies will endanger their patients. To prevent disastrous effects, healthcare companies should know how cybersecurity impacts their patient care and do what is necessary
to better prepare and protect people and secure information.

PHI Compromised in Cyberattacks on Columbia River Mental Health Services and Methodist McKinny Hospital

Methodist McKinny Hospital located in Texas has lately reported that unauthorized individuals accessed its systems and extracted files that contain sensitive information from its systems. The hospital detected the security breach on July 5, 2022, and a third-party cybersecurity company investigated the nature and extent of the breach. The investigation revealed that the attackers accessed its systems from May 20, 2022 to July 7, 2022, and at that time, they exfiltrated files with patient information. The initial investigation has affirmed that the files included names, Social Security numbers, addresses, dates of birth, medical history data, medical diagnosis details, treatment data, medical record numbers, and medical insurance details.

The security breach investigation is in progress and a comprehensive review of all impacted files was started to find out the patients impacted. It was confirmed that the breach impacted patients of Methodist Allen Surgical Center, Methodist McKinney Hospital, and Methodist Craig Ranch Surgical Center. The hospital will send notifications to impacted patients sooner or later. It is presently uncertain how many persons were impacted.

Methodist McKinny Hospital’s substitute breach notification didn’t reveal the nature of the cyberattack, however, it seems to have been a ransomware attack. The Methodist McKinny Hospital is listed on the Karakurt ransomware gang’s data leak site as a pre-release and states that 367 GB of information was extracted during the attack.

Employee Email Accounts Breach at Columbia River Mental Health Services

Columbia River Mental Health Services has lately informed the HHS’ Office for Civil Rights concerning a security breach that involves some employee email accounts. Based on the breach notification, the provider detected suspicious activity in a number of email accounts. Third-party forensics specialists were involved to look into the breach. As per the investigation, unauthorized individuals accessed the email accounts from May 14, 2021 to April 8, 2022.

On July 6, 2022, the analysis of the impacted accounts confirmed that they contained the protected health information (PHI) of patients. The evaluation of the data in the accounts is in progress. Breach notification letters will be mailed to impacted persons as soon as the review is concluded. The breach report submitted to the HHS’ Office for Civil Rights indicated that ‘501’ persons were impacted to meet the last day for submitting the incident report. The breach total is going to be updated upon confirmation of the number of impacted persons.

United Health Centers of San Joaquin Valley and Lee County Emergency Medical Services Affected by PHI Breach

In August 2021, the Vice Society ransomware operation posted stolen information on its data leak website that was purportedly acquired during a cyberattack on United Health Centers of San Joaquin Valley. Bleeping Computer discovered the data leak on August 31, 2021 and tried to notify United Health Centers several times. Databreaches.net likewise knew about the data breach and in the same way, tried to alert United Health Centers several times.

More or less one year on, United Health Centers had informed the people whose protected health information (PHI) was compromised or stolen in the attack. The breach notification sent to the California Attorney General last August 12, 2022 stated that United Health Centers encountered technical problems on August 28, 2021, which triggered the disruption to its computer network. The company took immediate steps to protect its systems and launched an investigation to find out the reason for the incident.

United Health Centers stated it found out on September 22, 2021 that the attacker exfiltrated patient information from its network. It engaged third-party experts to determine the extent of the data breach. According to the investigation results, data was exfiltrated from August 24, 2021 to August 28, 2021. A detailed analysis of the compromised information was finished on April 11, 2022. United Health Centers stated that it then worked promptly to deliver notification letters to those individuals whose data was included in the compromised documents.

The documents included names, health record numbers, and Social Security numbers. Impacted persons were provided a 12-months free membership to identity theft restoration and credit monitoring service by Experian. It is presently uncertain precisely how many individuals were impacted.

Lee County Emergency Medical Services Informs Patients Affected by Third-Party Data Breach

Lee County Emergency Medical Services just began informing a number of patients regarding a data breach on its business associate Intermedix Corporation. The two companies had worked together for about 15 years prior to terminating their contract in September 2014. Intermedix Corporation had provided certain patient data to the law company, Smith, Gambrell & Russell (SGR).

Lee County Emergency Medical Services stated in a breach notification posted on its website on August 11, 2022 that it received a notification on August 4, 2022 about a data breach that occurred at the law company. SGR stated it found out on August 9, 2021 that an unauthorized individual exfiltrated files containing its clients’ sensitive data from its systems. A vendor was employed to help investigate and find out the extent of the breach.

The analysis of the files was finished on May 17, 2022. SGR mentioned the breached data involved names, addresses, driver’s license numbers, Social Security numbers, government IDs, and medical data, for instance, medical background, treatment, and diagnosis. SGR reported it took the necessary steps to strengthen security and has provided the affected patients with free credit monitoring services.

Lee County Emergency Medical Services stated it was informed of the breach on August 4, 2022, and since then it is working directly with Intermedix Corporation to determine the impacted persons. Notification letters are going to be sent to impacted persons in 14 – 21 days. The breach is not yet posted on the HHS’ Office for Civil Rights Breach website, hence it is uncertain how many persons were impacted. Lee County Emergency Medical Services reported approximately 2% of the files provided to SGR had been exposed.