Ransomware Attacks Reported by Professional Business Systems and Prima Pediatrics

Professional Business Systems, Inc. doing business as Practicefirst Medical Management Solutions and PBS Medcode Corp, a medical management services provider for healthcare companies, has encountered a ransomware attack that allowed the attackers to acquire patient information

The service provider discovered the ransomware attack on December 30, 2020, and immediately shut down its systems in order to restrict the attack and informed law enforcement. Third-party cybersecurity specialists investigated the occurrence.

Practicefirst hasn’t affirmed if the ransom was paid however it said that the attacker assured that the files stolen from its systems were destroyed and won’t be further exposed.

There were no known cases of patient data misuse; nevertheless, all impacted persons were instructed to keep track of their accounts for any indication of falsified activity.

The types of patient data included in the breached files were different from one patient to another and might have contained the data elements listed below:

name, address, email address, birth date, driver’s license number, Social Security number, laboratory, diagnosis, and treatment data, patient ID number, medication data, medical insurance identification and claims data, tax ID number, employee username and password, employee username and security Q&A, and bank account and/or debit card/crebit card data.

Extra security techniques were since put in place to better secure its email, network and other IT programs.

Prima Pediatrics Experiences Suspected Ransomware Attack

Prima Pediatrics detected the compromise of some of its computer programs and the installation of malware that caused a number of its computer systems to be non-functional and the information saved on those systems unavailable.

Prima Pediatrics stated the majority of the information on the impacted computers is believed to have been encrypted during the attack, and there was no information regarding the improper usage of patient information. The investigation found no proof to indicate the exfiltration of any patient information by the attackers. The impacted systems contained the following protected health information (PHI): names, diagnoses, and medical illnesses, and medical backgrounds.

All patients possibly impacted by the breach were informed and instructed to keep track of their accounts and explanation of benefits reports for any indication of bogus activity. Prima Pediatrics is going to assess and update its privacy and information security policies and processes to avoid the same cases from happening again.

Elekta Cyberattack Impacts Northwestern Memorial HealthCare and Renown Health Patients

Northwestern Memorial HealthCare in Chicago, IL and Renown Health in Reno, NV were impacted by a cyberattack on Elekta, one of their business associates that provide a software system utilized for clinical radiotherapy for patients with cancer and brain ailments.

Elekta in Stockholm discovered the data breach and released a statement to confirm unauthorized access to its first-generation web-based storage system, which impacted a part of its North American customers.

Elekta is cooperating with the authorities and third-party cybersecurity specialists to find out specifically how the breach happened and the character and extent of the breach. Elekta began informing impacted healthcare providers in April 2021.

Elekta’s investigation showed that its systems were attacked from April 2, 2021 to April 20, 2021. The attackers got access to its systems and exfiltrated data that included the data of oncology patients, however, the breach only affected Elekta’s systems. There was no compromise of any systems belonging to its healthcare provider clients.

Northwestern Memorial HealthCare stated the database contained data like patient names, birth dates, Social Security numbers, medical insurance data, medical record numbers, and clinical data associated with cancer treatment, including medical records, doctor names, dates of service, treatment details, diagnoses, and/or prescribed medicine details.

Renown Health submitted a breach report indicating the compromise of 65,181 patients’ data such as names, addresses, Social Security numbers, birth dates, diagnoses, medical treatment details, appointment schedules and other patient data like weight and height.

Northwestern Memorial Healthcare stated the database comprised the protected health information (PHI) of 201,197 oncology patients who got treatment from a hospital in the list below:

  • Northwestern Medicine Delnor Community Hospital
  • Northwestern Medicine Central DuPage Hospital
  • Northwestern Medicine Huntley Hospital
  • Northwestern Medicine Lake Forest Hospital
  • Northwestern Medicine Kishwaukee Hospital
  • Northwestern Memorial Hospital
  • Northwestern Medicine McHenry Hospital
  • Northwestern Medicine Valley West Hospital
  • Northwestern Medicine Valley West Hospital

Although data theft was established, Elekta reported there is no misuse or exposure of any patient data.

Northwestern Memorial Healthcare stated that people who had their Social Security number compromised will receive free credit monitoring and identity theft protection services. Renown Health mentioned Elekta is offering free identity checks, fraud consultation, and identity theft restoration assistance.

There’s a total of 42 healthcare systems are considered to have been impacted by the breach. In several instances, impacted facilities had to temporarily stop cancer treatments and coordinate patient treatment at other healthcare facilities.

The breach also impacted the following:

  • 8,000 patients of Cancer Centers of Southwest Oklahoma, OK
  • 4,687 patients of Charles Health System, OR
  • 200+ patients of Yale New Haven, CT
  • Unknown patients of Carle Health, IL
  • Unknown patients of of Lifespan, RI
  • Unknown patients of Southcoast Health, MA

Maximus Data Breach Impacts 334,000 Medicaid Healthcare Service Providers

Ohio Medicaid has reported a data breach encountered by Maximus Corp, its data manager, that resulted in the compromise of the personal data of Medicaid healthcare companies.

Maximus is an international vendor of government health information services. Because the company provides those services, it gets access to the personal data of Medicaid healthcare companies. On May 19, 2021, Maximus learned that unauthorized individuals accessed a server containing the personal data furnished to the Ohio Department of Medicaid (ODM) or to a Managed Care Plan from May 17 to May 19, 2021.

When Maximus discovered the breach, it took the server off the internet to block the attacker’s unauthorized access. A top-rated third-party cybersecurity company is investigating. the incident The cybersecurity company stated that the breach was limited to a program on the server and did not affect any other servers, programs, or systems.

There is no evidence identified that shows the misuse of any data inside the application, though data theft cannot be eliminated. The program was utilized for the requirement of credentialing or tax identification associated with the function of every individual as a healthcare service provider.

The application contained the following types of sensitive information: names, Social Security numbers, birth dates, and Drug Enforcement Agency numbers. According to Maximus, the breach did not affect persons covered by Medicaid.

Maximus stated the quick identification of the breach confined possibly negative impacts; nevertheless, because there is a probability of data theft, it sent notifications to all people affected on June 18, 2021. The company also offered free credit monitoring services for 2 years.

Maximus already reported the breach to the Maine Attorney General indicating that 334,690 people were affected. Those people are based in several U.S. states.

PHI of Approximately 500,000 People Potentially Stolen During the Wolfe Eye Clinic Ransomware Attack

Wolfe Eye Clinic, which manages a network of eye health clinics across Iowa, has reported its encounter with a ransomware attack on February 8, 2021. Attackers acquired access to its networks, deployed ransomware and encrypted files. Much like in most ransomware attacks today, before file encryption, the hackers exfiltrated information from Wolfe Eye Clinic systems. The clinic received a ransom demand in exchange for the file decryption keys, however, it opted not to pay the ransom and retrieve files from backup copies. .

Wolfe Eye Clinic mentioned in its substitute breach notification letter that prompt action was undertaken to protect its network. Third-party IT security and forensic experts were involved to find out the nature and scope of the security breach. Because of the degree and sophistication of the attack, the team only determined the full scope of the security breach on May 28, 2021 and identified the data exposed during the attack.

The forensic inquiry, which ended on June 8, 2021, confirmed that the hackers viewed and exfiltrated the information of present and past patients. The stolen protected health information (PHI) contained names, contact information, dates of birth, Social Security numbers, and for certain persons, medical data.

Wolfe Eye Clinic began sending notification letters to impacted persons and offered free identity theft protection and credit monitoring services for one year via IDX. Wolfe Eye Clinic explained it is carrying out more safety measures to stop other attacks.

The attackers seem to have exfiltrated a huge volume of data. According to KCCI Des Moines, the incident impacted around 500,000 people, so this is regarded as one of the biggest ransomware attacks on one healthcare company that has been reported this 2021.

Scripps Health Ransomware Attack Affects 147,000 Individuals

Scripps Health, the 2nd biggest healthcare organization in San Diego, has commenced delivering breach notification letters to 147,267 individuals to inform them regarding the theft of their private and health information because of a ransomware attack on May 1, 2021.

The attack pushed Scripps Health to undertake its EHR downtime processes because its systems were not accessible online. Personnel at its medical clinics and hospitals were made to refer to paper charts as systems were repaired and records were restored. That course of action took more or less a month when access to vital patient data like test findings was blocked. Scripps Health merely obtained the potential to make new files a week ago when the MyScripps patient website was recovered on the internet.

The attack impacted numerous of the healthcare provider’s care websites and prompted interruption to procedures at two of its hospitals. Scripps Health decided to redirect a number of critical patients to other establishments, with all four of its primary hospitals set on emergency care diversion for heart attack, trauma, and stroke patients. Many non-urgent visits at the same time had to be deferred in the days after the attack.

Scripps Health stated its principal Epic medical record system had not been breached, although before the ransomware deployment the threat actors got records that included patient information like names, dates of birth, addresses, medical insurance details, patient account numbers, medical record numbers, and a number of clinical data, for instance, physicians’ names, dates of service, and treatment details. The attackers additionally acquired the Driver’s License Numbers And/or Social Security Numbers of about 3,700 people. FreeFree credit monitoring and identity protection support services are being given to those persons.

Scripps Health has started a manual evaluation of the records breached in the attack and mentioned that it is a time-intensive procedure that will most likely take a few months. It isn’t yet known what are the rest of the information the documents have, reported Scripps Health in its statement concerning the attack and stated notification letters are being delivered to impacted people right away.

It is sad that a lot of health care establishments are struggling with the effects of a growing cyber threat environment. Nevertheless, Scripps is implementing enhancements to our data security, systems, and checking functionalities. It is likewise working directly with federal authorities to support the continuing investigation.

Ransomware Attacks Affect Patients of Community Access Unlimited and CareSouth Carolina

13,813 Individuals Affected by Community Access Unlimited Ransomware Attack

Community Access Unlimited based in Elizabeth, NJ has begun sending notifications to 13,813 individuals that their PHI was saved on systems that had been accessed by unauthorized people.

On November 10, 2020, Community Access Unlimited recognized suspicious activity in its internal systems. The provider immediately took down its systems, and third-party forensics experts were engaged to find out the nature and scope of the breach.

The investigation confirmed that unauthorized people accessed its systems from June 29, 2020 to November 12, 2020, however, it was not possible to find out whether the attackers viewed or exfiltrated any patient information.

An analysis of the exposed systems revealed the following data may probably have been accessed or copied: Names, dates of birth, state identification card numbers,
driver’s license numbers, non-resident identification numbers, health data, medical insurance beneficiary numbers, and usernames and passwords.

Policies and procedures have since been analyzed and made better to lessen the potential for other attacks. Impacted persons were already alerted and complimentary credit monitoring and identity restoration services were provided to possibly impacted persons.

76,035 CareSouth Carolina Patients Affected by Ransomware Attack

CareSouth Carolina based in Hartsville, SC has informed 76,035 patients regarding the potential compromise of some of their protected health information (PHI) in a ransomware attack on Netgain Technologies, its IT vendor.

Netgain informed CareSouth Carolina on January 14, 2021 that the company had suffered a ransomware attack in December 2020, and the hackers got access to its servers that contain patient records from late November, part of which was exfiltrated prior to the deployment of ransomware.

On April 13, 2021, Netgain furnished CareSouth Carolina a copy of the information that was likely breached. CareSouth Carolina carried out an evaluation of the information and on April 27, 2021 stated that the dataset comprised patient names, address, date of birth, diagnosis/medical conditions, lab test results, medicines, and other clinical details. For some patients, Social Security numbers were also involved.

The threat actors sent Netgain a ransom demand and threatened to sell the stolen records if no payment was made. Netgain made the decision to give the ransom payment and acquired assurances that the stolen files were deleted and were not further shared.

Since the data breach, Netgain and CareSouth have implemented extra security steps to avoid any repeat attacks, and CareSouth is providing affected patients zero-cost identity theft protection services.

Healthcare Providers Announce Recent Ransomware Attacks Affecting Patients

In the aftermath of the ransomware attack on Colonial Pipeline, a number of ransomware gangs like REvil and Avaddon said that they have enforced new regulations that necessitate their affiliates to get permission prior to attacking a target, and that attacks on healthcare companies had been prohibited. Nonetheless, a lot of ransomware-as-a-service operations have not enforced prohibitions and healthcare providers are still getting targeted. Lately, a number of healthcare organizations have been confirmed as having attacks.

San Diego Family Care

San Diego Family Care (SDFC) in California has reported that it experienced the impact of a ransomware attack in December 2020. SDFC as well as its business associate Health Center Partners of Southern California (HCP) were impacted by a ransomware attack on their information technology hosting vendor. It was reported that Netgain Technologies. Netgain Technologies paid a $2.3 million ransom to acquire the keys to unlock the encrypted files and informed SDFC and HCP on January 20, 2021 regarding the compromise of the protected health information (PHI) of their patients.

SDFC and HCP were given a copy of the affected data and performed an evaluation to know which people were impacted and the types of information affected. The analysis was done on April 11, 2021 and so far, 125,500 patients are known to have been impacted.

SDFC explained in its substitute breach notice that the following types of data were breached: Names, Social Security numbers, government identification numbers, financial account numbers, dates of birth, medical diagnosis or treatment data, health insurance details, and/or client IDs. Affected persons received breach notification letters by mail on May 7, 2021.

SAC Health Systems

SAC Health Systems based in San Bernardino, CA also became a victim of the ransomware attack on its now past IT service provider, Netgain Technologies. SAC Health Systems was informed by Netgain Technologies on January 15, 2021 concerning the access of the ransomware gang to its servers containing patient information between November 15, 2020 and November 22, 2020.

SAC Health Systems stated on April 20, 2021 that the ransomare attack affected 28,128 individuals. The types of records exposed included names, birth dates, addresses, Social Security numbers, driver’s license numbers, state identification numbers, tax IDs, financial account data, medical histories, electronic signatures, medical insurance details, medical record numbers, doctor names, prescription details, and reason for absence. All impacted people are now being alerted.

Harper County Community Hospital

Harper County Community Hospital based in Oklahoma has reported that it experienced a ransomware attack on March 24, 2021 that resulted in the potential compromise of the PHI of 5,725 patients.

The hospital stated the attack did not affect patient medical records, however workstations and common drives were affected, and they comprised files having first and last names, birth dates, residence addresses, Social Security numbers, patient account numbers, diagnoses, and medical insurance data.

Harper County Community Hospital had taken prompt corrective actions and has enforced extensive IT security practices, backup procedures, and made updates to its HIPAA policies and guidelines. All impacted persons are currently being informed concerning the attack.

Rehoboth McKinley Christian Health Care Services Reports a Ransomware Attack

RMcKinley Christian Health Care Services (RMCHCS) based in Gallup, NM has reported it had been attacked by ransomware in February 2021 resulting in the exfiltration of patient information.

The Conti ransomware gang attacked in February and took a selection of sensitive information, which includes job application records, background check data, staff reports, and patients’ protected health information (PHI). A portion of the compromised files was published to the Conti data leak website to compel the healthcare organization to pay the ransom demand. The information is not posted on the leak website now, however, it is uncertain if the company paid the ransom.

RMCHCS found out on February 16, 2021 that a ransomware group stole the patient information. RMCHSC employed a third-party computer forensics agency to look into the attack and it was confirmed that the attackers exfiltrated information from January 21 to February 5, 2021. An analysis of the files possibly viewed by the attackers was done on April 30, 2021. RMCHCS sent breach notification letters to the affected persons.

RMCHCS stated the attackers possibly accessed the following information: names, addresses, phone numbers, email addresses, birth dates, dates of service, driver’s license numbers, Social Security numbers, password numbers, tribal ID numbers, medical insurance data, medical record numbers, names of providers, diagnoses, treatment details, prescribed medication data, financial account data, and billing and claims information. The types of information possibly compromised different from one person to another.

RMCHCS offered free identity monitoring and restoration services to the people impacted by the breach and has taken steps to strengthen its systems against cyberattacks and improved security and monitoring.

The breach is found to have impacted 209,280 people.

PHI Exposed Due to the University of Florida Health Shands, St. Paul’s PACE and St. John’s Well Child and Family Center Breaches

University of Florida Health Shands has found out that an old employee has accessed the medical information of 1,562 patients without valid authorization.

The HIPAA violations were identified on April 7, 2021. The provider quickly blocked the employee’s access to health files pending an investigation. The investigation affirmed the worker had been viewing patient medical records with no valid work reason for doing so from March 30, 2019 to April 6, 2021.

The following types of information might have been viewed: names, phone numbers, addresses, birth dates, and lab test results, however no Social Security numbers, financial data, or health insurance data was compromised.

University of Florida Health Shands is convinced that no PHI was stolen or further breached; nevertheless, as a safety precaution, affected people were provided one year of complimentary credit monitoring services.

Third-Party Breach Affects Patients of St. Paul’s PACE

Community Eldercare of San Diego, doing business as St. Paul’s PACE, was impacted by a breach that occurred at one of its suppliers. Health plan management company, PeakTPA, provides billing and other admin services to St. Paul’s PACE. PeakTPA experienced a cyberattack on December 31, 2020 that resulted in the compromise of the records of selected St. Paul’s PACE patients.

Even though the cybercriminal gang behind the attack was not brought up in its breach notice, PeakTPA stated the FBI split up the gang on January 27, 2021 and that all stolen documents in the attack were retrieved. The timing indicates the Netwalker ransomware gang may have done the attack.

PeakTPA stated that the attackers might have gotten information such as names, addresses, dates of birth, medication details and Social Security numbers. Affected persons received offers for 3-years free credit monitoring, fraud consultation, and identity theft restoration services by Kroll. PeakTPA stated that it has implemented extra security measures to avert similar breaches later on.

Cyberattack Impacts 29,000 Patients of St. John’s Well Child and Family Center

St. John’s Well Child and Family Center, Inc. located in West Sacramento, CA is sending notifications to 29,030 people about a cyberattack on February 3, 2021 that resulted in the potential exposure of some of their protected health information.

When the family center discovered the attack, it took steps promptly to secure its systems and engaged third-party cybersecurity specialists to assist with the breach investigation. The investigation affirmed that the attackers probably accessed or obtained PHI like names, Social Security numbers, and other personal or medical data.

People who had their Social Security number likely compromised were offered complimentary credit monitoring and identity theft protection services for a year.

Ransomware Attack on New York Medical Group and Entrust Medical Billing

Orthopedic Associates of Dutchess County, a New York medical group practice, has reported the potential theft of protected health information (PHI) of certain patients in a recent cyberattack .

The security breach was discovered on March 5, 2021 after identifying suspicious activity in its systems. An investigation into the breach established the unauthorized access of some individuals in its network on or around March 1, 2021. The attackers acquired access to selected systems and encrypted files and gave a ransom demand to acquire the keys to decrypt the files.

The attackers maintained they had taken sensitive data prior to encrypting the files, though it was not possible to determine which files had been stolen. An evaluation of the systems, which the hackers accessed revealed they included files having PHI like names, email addresses, addresses, contact telephone numbers, dates of birth, payment information, emergency contact details, diagnoses, treatment data, medical record numbers, health insurance details, and Social Security numbers.

People possibly affected by the breach were informed by mail and were provided a 12- month complimentary membership to credit monitoring and identity theft protection services. Currently, there are no reports of attempted or actual misuse of any patient information.

The breach resulted in the potential compromise of the protected health information of 331,376 people.

PHI of 5,426 Persons Compromised in Entrust Medical Billing Ransomware Attack

Entrust Medical Billing, a medical billing company based in Canton, OH, has experienced a ransomware attack that resulted in the probable exposure of the PHI of 5,426 persons.

Third-party cybersecurity specialists were called in to help with the investigation and figure out the magnitude of the security breach. On or approximately March 1, 2021, the investigation affirmed that the attackers had exfiltrated some of the files containing PHI such as names, birth dates, addresses, medical diagnosis/clinical data/treatment type or location, medical procedure details, medical insurance data, and patient account number.

Although the investigation confirmed the data theft, there is no evidence found that indicates actual or attempted misuse of the stolen data. Affected people have now been informed and those who had their Social Security numbers compromised received offers of free credit monitoring services. The company also implemented new technical safeguards and increased its monitoring efforts across its network environment.

Health Aid of Ohio Security Breach Impacts Around 141,00 People

Health Aid of Ohio, a full-service home medical equipment company based in Parma, OH, has found out that unauthorized persons acquired access to its systems and copied certain files from its system. The breach was discovered on February 19, 2021 upon detection of suspicious network activity. Health Aid of Ohio quickly took action to remove the attackers from the system and keep safe all patient information.

A breach investigation confirmed that the attacker accessed and exfiltrated files from Health Aid’s networks, however, it can’t be determined precisely which files were taken from its systems. Possibly, several of the exfiltrated files included the protected health information (PHI) of VA plan members.

The data potentially accessed included names, phone numbers, addresses, and particulars of the kind of equipment sent to homes or was fixed in people’s homes. The PHI of people who got services via their insurance provider or healthcare company included names, phone numbers, birth dates, Social Security numbers, insurance details, diagnosis data, and type of equipment.

Although the above details might have been stolen, there are no reports received that suggest any falsified misuse of the above data thus far.

Health Aid of Ohio hasn’t shared how the attackers obtained systems’ access and if there was malware or ransomware used. But it has informed the Federal Bureau of Investigation (FBI) and proper authorities. The breach report sent to the HHS’ Office for Civil Rights shows that around 141,149 people were potentially affected.

PHI Potentially Exposed in River Springs Health Plans Phishing Attack and Netgain Ransomware Attack

An unauthorized person obtained access to a River Springs Health Plans worker’s email account and deployed malware which likely made it possible for the copying of email account contents. The staff clicked on the phishing email on September 14, 2020. The provider found the malware and took it out the next day. The email account was furthermore made secure.

A prominent forensics agency was retained to aid the investigation and ascertain if attackers viewed or obtained any sensitive facts. There is no proof discovered which indicated the copying of any member data. Nevertheless, data theft cannot be eliminated. An extensive assessment of the affected account showed on February 17, 2021 that there were 31,195 River Springs Health Plans members’ PHI kept in the account.

The kinds of information contained in the account differed from person to person and might have involved these data: First and last names, birth dates, Medicaid ID, Medicare ID, member ID, Social Security number, and sources to medical data for instance healthcare provider details. No financial data was affected.

River Springs Health Plans has undertaken steps to boost email security and has re-trained the staff on phishing email identification and submitting reports on suspicious email messages. Impacted persons have already been advised and free credit monitoring services were given.

Netgain Ransomware Attack  Affected Health Center Partners of Southern California

Health Center Partners of Southern California (HCP) has reported that it was impacted by the ransomware attack on Netgain Technology LLC, its IT service supplier.

HCP offers help to community health units based in Southern California which necessitates access to patient data, several of which was saved on systems that were affected by the ransomware attack in September 2020. Netgain’s inquiry established that from October 22, 2020 until December 3, 2020, the attacker acquired files comprising PHI, including HCP information.

Netgain paid the ransom demand to avert further exposure of the stolen information and acquired guarantees that the attackers had wiped out the records. The darkweb is being searched and hacking community forums watched to determine any data exposure. HCP mentioned in its breach notification that there’s no reason to think any information stolen in the attack is going to be misused nevertheless, as a safety measure, impacted people were provided free identity protection services from IDX.

Radiation Treatments Interrupted Because of Software Vendor Cyberattack

Elekta, the Swedish oncology and radiology system provider, is recouping from a cyberattack that pushed it to take down its first-gen web-based storage system on April 20, 2021. Although the company has affirmed the security breach it has encountered, there is no information about the actual nature of the cyberattack yet. It is uncertain what kind of malware was used, however, it is assumed to be ransomware. The web-based storage system was taken off the internet to control the problem.

Elekta stated just a part of customers in the USA that utilizes its software program were impacted and are having a service outage because the web-based system is down. Elekta is working on moving those clients to its brand new Microsoft Azure cloud and the firm is working 24 / 7 to finish that process. All impacted clients received notification; but, a small amount of information regarding the incident was announced to the public in order not to compromise the company and police investigations, however, Elekta accounts that the problem has already been completely resolved.

Yale New Haven Health based in Connecticut is a U.S. healthcare company that is impacted by the cyberattack on Elekta. Yale New Haven Health had to take its radiation devices off the internet until the problems are settled. The software program is utilized on linear accelerators for radiation therapies. Systems were offline for over one week and a number of cancer patients were referred to other healthcare companies to go on with their therapies.

Other healthcare companies identified to have been impacted were Lifespan Corp and Southcoast Health in Massachusetts. Lifespan, which supervises
Rhode Island Hospital and the Lifespan Cancer Institute, has affirmed that just one afternoon of consultation services was missed in its radiation oncology centers, and they were easily rebooked the following day. There were no more postponed or delayed treatments.

Elekta released an announcement stating that there is no evidence found that indicates the extraction or copying of any data. Elekta stated about 170 U.S. customers that utilize its first-gen web system have had service interruptions to at least one of their products.

Ohio Law Firm Ransomware Attack and California Department of State Hospitals Insider Breach

Eckler mentioned the attackers affirmed the deletion of the stolen information and gave reassurances that no further disclosures of the stolen data will occur and that no copies of the information were kept.

Being a full-service law company helping customers in the healthcare sector, it was required for clients to give the law agency access to selected protected health information (PHI) during the client engagement. That data was utilized for the legal assistance given. It is likely that a number of that data might have been seen or acquired during the attack.

Bricker & Eckler mentioned the following PHI might have been exposed: names and addresses and, for a number of people, medical data and/or education-associated data, Social Security numbers, and/or driver’s license numbers.

The law agency began mailing notification letters to all impacted persons on April 6, 2021. The law agency has implemented measures to improve the security of its network, internal systems, and software programs to avoid identical attacks down the road.

Bricker & Eckler has reported the breach to the HHS’ Office for Civil Rights indicating that about 420,532 people were affected.

California Department of State Hospitals Finds Out Insider Breach More Serious Than Earlier Thought

In March 2021, the California Department of State Hospitals reported that one staff with an IT job got access to the information of 1,415 present and past patients and 617 employees with no permission in a 10-month time period. The hospital discovered the breach on February 25, 2021 while doing routine monitoring of staff access to data folders.

During the announcement, the investigation of the insider breach was still in progress. It has now been affirmed that the breach was even worse than earlier imagined. The information of 1,735 present and past Atascadero State Hospital workers and 1,217 DSH job seekers who were not hired was likewise viewed. The information contained telephone numbers, email addresses, birth dates, social security numbers, and health data. Although the sensitive information was accessed, no report has been received of any misuse of information.

Ransomware Attacks on the University of Miami Health and Mott Community College

A ransomware attack on Accellion, a file transfer service provider, resulted in the access of the protected health information (PHI) of patients of the University of Miami Health by unauthorized individuals.

The University of Miami Health utilized Accellion’s file transfer technology for sharing files that were too large to send out via email. The University of Miami stated that only a small number of individuals at the university used the Accellion solution. Immediate action was done to restrict the impact of the incident. Since then, the university has ceased using Accellion’s file transfer services.

The investigation into the attack is not yet done and the review of the files that were obtained or potentially exposed in the attack is not yet done, therefore the number of people affected by the attack is not yet known.

The University of Miami thinks that none of its systems were breached in the attack and that the university only sent or received limited files through Accellion’s file transfer services.

The gang behind the attack asked for a $10 million ransom payment for the keys to decrypt data files and avoid getting the data posted on the internet or marketed on dark web marketplaces. A few of the information stolen in the ransomware attack was already published on the gang’s leak website, including a number of data associated with patients of the University of Miami Health.

The University of Miami was one of Accellion customers that were impacted by the breach. The others were the University of Colorado, Kroger, Arizona Complete Health, Centene, and Shell Oil.

Mott Community College Ransomware Attack Affected 1,612 Dental Plan Members

Mott Community College has informed 1,612 people that unauthorized individuals obtained files that contain their PHI prior to using ransomware on its systems.

Upon discovery of the attack, a third-party cybersecurity company helped investigate the incident to know the scope of the security breach. The investigation revealed that the attackers acquired access to its network from November 27, 2020 until January 9, 2021.

On January 23, 2021 Mott Community College found out that the attackers exfiltrated sensitive information before deploying the ransomware, and that a few of the files were associated with individuals covered under its self-insured dental plan. An evaluation of those data files showed that they included names, dates of birth, and dental plan enrollment and claims details for persons registered in the dental plan in 2014-2015, and 2019.

On March 24, 2021, Mott Community College started sending notification letters to all persons affected. Although data exfiltration was established, it does not imply the attackers viewed, misused, or disclosed the contents of the data files. Mott Community College has now put in place more safeguards and technical security steps to avoid any more attacks, such as multifactor authentication for all systems and email access and extra password requirements.

SalusCare Files Lawsuit Against Amazon to Get Access to AWS Audit Logs to Investigate Data Breach

SalusCare, a behavioral healthcare services provider based in Southwest Florida, encountered a cyberattack in March that resulted in the exfiltration of patient and employee data from its systems. SalusCare did not confirm the specific strategy employed to get access to its computers, but the cyberattack is thought to have begun through a phishing email with malware download. The attacker exfiltrated all of its database content to an Amazon AWS storage account.

The cyberattack happened on March 16, 2021 and, according to the breach investigation, the attacker seemed to be located in Ukraine. The attacker acquired access to SalusCare’s Microsoft 365 environment, stole sensitive information, and loaded it to two Amazon S3 storage buckets.

Amazon was informed regarding the criminal activity and it revoked access to the S3 buckets so that the attacker could not access the stolen information. SalusCare asked for copies of the audit logs, which it needs to proceed with investigating the breach and determining specifically what information was taken. SalusCare additionally would like to ensure that the suspension is irreversible and won’t be removed by Amazon.

The S3 buckets were employed to keep SalusCare data, however, Amazon won’t voluntarily give copies of the audit logs or the information kept in the S3 buckets since SalusCare does not own them. The two S3 buckets are known to contain about 86,000 files stolen during the attack.

In order to obtain copies of the audit logs and information, SalusCare submitted a lawsuit in federal court requesting injunctive relief under the Computer Abuse and Recovery Act of Florida. SalusCare is seeking a decision that will force Amazon to give audit logs access and a copy of the two S3 buckets content. SalusCare additionally would like the courts to mandate Amazon to suspend access permanently to keep the attacker from having data access or copying the stolen data to a different cloud storage service. SalusCare has likewise sued the person associated with the attacks – John Doe.

The lawsuit asserted that the stolen data, which was hosted by Amazon is highly sensitive and can be employed for identity theft, selling on the darknet marketplaces, or exposure to the general public.

In the petition filed by SalusCare to the U.S. District Court in Fort Myers, it explained that the files consist of extremely personal and sensitive files of the psychiatric and addiction counseling and treatment of patients. The files additionally include sensitive financial data like credit card numbers and Social Security numbers of SalusCare employees. and patients.

The lawsuit is seeking that after Amazon gives SalusCare a copy of the information and audit logs, the S3 buckets must be cleared to stop any more unauthorized access.

Amazon didn’t go against any injunctive relief desired by SalusCare. On March 25, 2021, The News-Press reports that the request has been granted by a District Court federal judge.

Reinvestigation of 2019 Metro Presort Ransomware Attack Shows Potential Compromise of PHI

Technology and communication solutions provider Metro Presort based in Portland, OR encountered a ransomware attack last May 6, 2019 that allowed the encryption of files so that its staff could not access its systems. The company detected the ransomware attack immediately and secured its systems on May 15, 2019. The company had recovered from the attack somewhat easily. The investigators of the incident didn’t find any proof that suggests the removal of files from its system and considering that the company already applies encryption on customer information, it is unlikely that the attackers could access any sensitive data.

Metro Presort investigated the attack again in October 2020. This time, it did not confirm the encryption of files that contain customer data prior to the attack. Therefore, the attacker could have potential access to statements, invoices, and spreadsheets that Metro presort prepared for its clients, healthcare providers included. A substitute breach notice posted on the Metro Presort website on November 24, 2020 stated that an audit of those files affirmed their content as including patient names, addresses, birth dates, patient and health plan account numbers or IDs, appointment dates, diagnoses codes, treatment codes, and treatment dates.

The HHS’ Office for Civil Rights website recently published the incident indicating the potential compromise of the PHI of up to 38,387 people. Metro Presort mentioned in its breach notice that the Department of Health and Human Services’ Office for Civil Rights investigated Metro Presort’s response to the breach, its guidelines, and procedures. The case was closed on December 31, 2020 after OCR established that there was no violation of HIPAA rules.

Metro Presort also mentioned in its breach notice that both prior to the incident and afterward, MPI has given substantial resources to keeping and improving its data security, which includes setting up of the most recent technical security measures to avoid the same incidents, extra protections (encryption) of customer documents, and security reviews.

Universal Health Services Lost $67 Million in 2020 Due to Ransomware Attack

2020 was a remarkably horrible year for the medical care industry with regards to ransomware attacks. One of the hardest hit by ransomware attacks is the Fortune 500 healthcare system Universal Health Services (UHS) located in King of Prussia, PA.

UHS, which operates 400 hospitals and behavioral health centers throughout the U.K. and the U.S., experienced a cyberattack in September 2020 that ruined all of its IT systems, affecting all the hospitals and medical centers it operates all over the nation.

The telephone system, computers, and electronic health records were not accessible. For this reason, personnel used pen and paper for recording patient information. During the hours right after the ransomware attack, the health system rerouted rescue ambulances to other establishments and delayed or redirected some elective operations to other hospitals. Patients remarked that test results were also delayed while the UHS is working on recovery from the attack.

After the ransomware attack, UHS worked rapidly to bring back its IT system, working around the clock to restore normal business operations; however, it took 3 weeks to attain recovery. The interruption of course had a big impact on finances. The UHS’ revenue report for quarter 4 of 2020
indicated a loss of $42.1 million, which translates to 49 cents per diluted share. UHS ended the quarter with $308.7 million in revenue, rising by 6.6% compared to quarter 4 of 2019.

Restoring its IT infrastructure added a considerable amount to labor expenses, inside and outside the company. The impact on cash flows meant that some admin tasks such as coding and billing had become delinquent until December 2020.

Because of the ransomware attack, UHS sent reports of about $67 million pre-tax losses in 2020, primarily as a result of the decline of operating income, lower patient activity and greater revenue reserves on account of overdue billings. UHS believes that it will be able to get back the majority of the $67 million from its insurance policy coverage.

Microsoft Releases Patches for 4 Actively Exploited Flaws in Microsoft Exchange Server

Microsoft has launched out-of-band security adjustments to resolve four zero-day Microsoft Exchange Server vulnerabilities that a Chinese Advanced Persistent Threat (APT) group called Hafnium is actively exploiting.

The attacks have been taking place starting early January, as the APT group is targeting defense contractors, law agencies, colleges and universities, NGOs, think tanks, and infectious disease research organizations in the USA. Vulnerabilities exploitation enables the attackers to exfiltrate mailboxes and other information from vulnerable Microsoft Exchange servers, run practically any code on the servers, and add malware for continual access.

Hafnium is used to be an unidentified sophisticated APT group that is thought to be aided by the Chinese government. The group is chaining together the 4 zero-day vulnerabilities to steal sensitive files held in email messages. While developing the exploits needed skills, utilizing those exploits is easy and permits the attackers to exfiltrate big quantities of sensitive data easily. Although the APT group is in China, virtual private servers in America are hired for use in the attacks, which aids the group to remain under the radar.

The flaws are found in Exchange Server 2010 and all supported Microsoft Exchange Server versions (2013, 2016, 2019). There were patches released to repair the vulnerabilities in Exchange Server 2010, 2013, 2015, and 2019. The flaws have no effect on Exchange Online and personal email accounts, merely on-premises Exchange servers.

Microsoft has credited the cybersecurity companies Volexity and Dubex for assisting to uncover the attacks, which were initially identified on January 6, 2021. Now that the patches were introduced, attacks are likely to increase as the group rushes to obtain access to a lot of vulnerable Exchange servers before the patch application.

The vulnerabilities identified are:

  • CVE-2021-26855: A server-side request forgery (SSRF) vulnerability that enables HTTP requests to be sent to an on-premises Exchange Server to authorize as the Exchange server itself.
  • CVE-2021-26857: An insecure deserialization vulnerability found in the Unified Messaging service that may be exploited to execute any arbitrary code as SYSTEM on the Exchange server.
  • CVE-2021-26858 and CVE-2021-26865 – These two file write vulnerabilities enable an authenticated person to write files to any path on the server. The vulnerabilities are chained with CVE-2021-26855, though it can also be taken advantage of utilizing stolen credentials.

Once initial access to the Exchange server is acquired, the attackers release a web shell that permits them to gather cached credentials, upload files like malware for persistent access, perform essentially any command on the compromised system, and exfiltrate inboxes and other information.

Exploits for the vulnerabilities are not believed to have been available publicly, with the attacks presently merely being carried out by Hafnium, even though that may not stay so for long.

Microsoft is informing all customers of the vulnerable Microsoft Exchange versions to utilize the patches right away. After implementing the patches, an investigation must be done to know if the vulnerabilities were already exploited, as patching won’t prevent any further malicious activity or data exfiltration in case the attackers have actually breached the server.

Microsoft has offered Indicators of Compromise (IoCs)  to assist clients to determine whether the vulnerabilities were already exploited.

PHI Potentially Exposed Due to Cyberattacks on Nebraska Medicine and Hackley Community Care

Nebraska Medicine has commenced sending notifications to around 219,000 patients concerning an unauthorized person that
potentially accessed patient data as a result of a malware attack.

On September 20, 2020, Nebraska Medicine found out that parts of its systems had strange activity. The firm singled out the infected devices to restrict the impact of the breach. The affected systems were shut down to prevent continuing unauthorized access. Third-party computer forensics experts helped in the investigation and determine the nature and magnitude of the data breach.

Based on the investigation results, an unauthorized individual first acquired system access on August 27, 2020 and corrupted it with malware. The unauthorized individual copied a number of files, with some containing patient data from August 27 up to September 20.

The compromised files belonged to patients who got medical services from the Nebraska Medical Center or University of Nebraska Medical Center. A number of patients received medical services from Faith Regional Health Services, Great Plains Health, or Mary Lanning Healthcare.

The attackers got access to protected health information (PHI) such as one of the following data: Name, address, birth date, medical record number, medical insurance details, doctor’s notes, laboratory test data, imaging, diagnosis information, treatment information, and/or doctor-prescribed drugs information. Some patients’ driver’s license numbers and Social Security numbers were likewise potentially compromised.

Nebraska Medicine mailed notification letters to the affected individuals regarding the breach on February 5, 2021. The individuals who had their Social Security or driver’s license numbers exposed at the same time got credit monitoring and identity theft protection services for free. The provider’s IT environment is still under monitoring for potential breaches. It additionally improved its network monitoring solutions.

Phishing Attack Impacts 2,500 Hackley Community Care Patients

Hackley Community Care located in Muskegon, MI is informing about 2,500 patients concerning unauthorized persons
getting potential access to some of their PHI.

In September 2020, a number of employees had received a phishing email in their inbox. One employee clicked a hyperlink to a malicious site and keyed in his/her login credentials that the attacker snagged and used to access the email account of the employee remotely between September 7 and September 24, 2020.

The breach investigation affirmed the compromise of only one email account. There is no evidence identified that indicates the unauthorized persons opened any emails in the breached account. After the review of the compromised email account was completed on December 18, 2020, Hackley Community Care informed all people that were impacted by the incident.

Most of the affected individuals only had their names and addresses compromised. Individuals who had more sensitive data affected were given TransUnion credit monitoring services for free. Hackley Community Care is reinforcing its security procedures to prevent the occurrence of similar incidents later on.