Ransomware Gangs Attack Missouri Delta Medical Center and Barlow Respiratory Hospital

Barlow Respiratory Hospital based in Los Angeles, CA has published information that it has experienced a ransomware attack on August 27, 2021. The Vice Society ransomware gang conducted the attack and acquired access to its network including the electronic medical record system. Prior to utilizing ransomware to encrypt data, the gang exfiltrated patient information, some of which were published on the ransomware gang’s dark web data leak site.

Barlow Respiratory Hospital stated while the attack affected a number of IT systems, the healthcare provider was able to keep on operating under its emergency guidelines and patient care was not disrupted.

Upon discovery of the security breach, law enforcement agencies were notified and a third-party cybersecurity company was called in to assist the investigation and find out the magnitude of the data breach. The attack investigation is still ongoing.

While several ransomware operations have mentioned they are not going to target healthcare organizations, Vice Society doesn’t fall into that category. The ransomware operation came out in June 2021 and already attacked a number of healthcare companies, such as Eskenazi Health in Indianapolis. The ransomware gang has been exploiting new security vulnerabilities, such as the Windows PrintNightmare flaws.

A spokesperson for Barlow Respiratory Hospital stated they will carry on and work with law enforcement to support the investigation. Also, they are working earnestly, with the help of a cybersecurity firm, to evaluate what data may have been exposed in the incident. If required, they will inform the people whose records may have been impacted, according to applicable rules and regulations, eventually.

Missouri Delta Medical Center Encounters Hive Ransomware Attack

The protected health information (PHI) of patients of Missouri Delta Medical Center located in Sikeston, MO was stolen in a ransomware attack carried out by the Hive ransomware gang. At the start of this month, a portion of the stolen records was published to the ransomware gang’s data leak website so as to compel the medical center into giving the ransom payment. The Hive ransomware gang has attacked several healthcare organizations in the last few weeks, such as Memorial Health System.

Missouri Delta Medical Center hired the services of a top-rated forensic security company to investigate the attack and know the nature and extent of the breach. The medical center was eventually informed by a third party that certain patient information was stolen and posted on the internet. Based on the posting on the Hive gang’s data leak webpage, the names, phone numbers, addresses, dates of birth, sex/race, Social Security numbers, next of kin data, diagnoses, and financial data of 95,000 persons was stolen in the attack. That information was included in 400 GB of files that were exfiltrated prior to encrypting files.

Missouri Delta Medical Center stated the attack did not affect its capability to give care to patients. The cyberattack investigation is in progress however at this point it appears that the attack did not impact its electronic medical record system.

Missouri Delta Medical Center apologizes for any hassle this occurrence may have brought about and is taking action to increase security and decrease the risk of the same incident happening later on. The medical center remains focused on keeping on helping the community.

Ransomware Attack on Desert Wells Family Medicine Results in Permanent Loss of EHR Information

Desert Wells Family Medicine based in Queen Creek, AZ has begun sending notifications to 35,000 patients regarding the compromise of their protected health information (PHI) in a recent ransomware attack. The attack happened on May 21, 2021 and caused the encryption of information, which includes its electronic health record (EHR) system.

All information was backed up before the ransomware attack, but besides encrypting records, the attacker corrupted backup files and so all records contained in its EHR system prior to May 21 cannot be retrieved. The types of data in the system, which the hackers might have obtained in the incident included patient names, dates of birth, addresses,
billing account numbers, Social Security numbers, treatment data, and medical record numbers.

Desert Wells stated it did not find any information that suggests any attempted or actual patient information misuse, and the third-party computer forensics specialists did not get any evidence concerning the exfiltration of patient data before file encryption, although it was not possible to eliminate data theft with a high degree of confidence. As a result, Desert Wells decided to provide affected patients complimentary identity theft protection and credit monitoring services.

Upon finding out about the degree of the damage, Desert Wells engaged more forensics and recovery services to try and retrieve the information. Sadly, these initiatives up to now have been unsuccessful and patient electronic information prior to May 21, 2021, cannot be recovered, reported Daniel Hoag, MD, Desert Wells’ family medicine physician.

Desert Wells is building a new EHR system and is trying to populate patient records with information taken from other sources, such as hospitals, laboratories, pharmacies, and medical imaging centers; nevertheless, it is probable that a number of patient data have been forever lost.

According to Hoag, this is a distressing situation and seriously apologized for any problem it may result in. Many healthcare providers in the community, and around the country, were impacted by cybersecurity activities. So, Desert Wells is moving forward with its efforts to improve the security of its system and the information entrusted to them, such as employing enhanced endpoint detection and round-the-clock threat monitoring, and providing extra training and education to employees.

PHI of 9,800 Atlanta Allergy & Asthma Patients Exposed in Cyberattack

Atlanta Allergy & Asthma has commenced informing 9,851 patients concerning a January 2021 cyberattack wherein their protected health information (PHI) was exposed and likely breached. Atlanta Allergy & Asthma reported its investigation into the incident confirmed that hackers got access to its system between January 5 and January 13, 2021. Upon finding out about the breach, the provider took action promptly to remove the unauthorized people from its network and offset any probable harm.

Atlanta Allergy & Asthma employed third-party cybersecurity specialists to find out the nature and magnitude of the breach, with the investigation establishing that the attackers acquired access to segments of the network where documents were kept that included PHI.

A detailed analysis was performed of those documents. Atlanta Allergy & Asthma stated it was established on July 8, 2021 that these types of information were potentially compromised: Names, dates of birth, financial account numbers and/or routing numbers, Social Security numbers, diagnoses, treatment data and costs, procedure types, treatment site, dates of service, provider names, patient account numbers and/or health insurance details.

Atlanta Allergy & Asthma stated it’s not advised of any attempt or actual patient data misuse due to the breach. Commencing on August 20, 2021, the provider sent notification letters to the impacted persons to forewarn them of the exposure of their patient records to make it possible for them to take action to secure against identity theft and fraud, such as obtaining credit monitoring and identity protection services that are being provided cost-free to affected patients.

Atlanta Allergy & Asthma mentioned it consistently measures its cybersecurity strategies and internal controls and is going to be taking action to boost the security and privacy of patient records.

Atlanta Allergy & Asthma’s breach notification letter did not reveal the particular nature of the cyberattack; nonetheless, DataBreaches.net got information that this was a ransomware attack conducted by the Nefilim ransomware threat group and that sensitive files were ripped off in the attack. A number of the stolen information comprised patient data and 2GB of stolen records were left on the Nefilim data leak webpage in March 2021.

48,000 People Impacted by CarePointe ENT Ransomware Attack

CarePointe ENT, an ear, nose, and throat specialist based in Merrillville, IN, has reported that it encountered a ransomware attack on June 25, 2021 and files on its network were encrypted. A number of the encrypted files are identified to be made up of the personal data and protected health information (PHI) of its patients.

It is typical in ransomware attacks to exfiltrate sensitive data before using ransomware to encrypt data files. The primary reason for data exfiltration is to force victims into giving the ransom payment. CarePointe stated it is convinced the attackers’ only goal was to extort cash from the practice, and not to acquire patient information. No reports were acquired which indicate the misuse of any patient information due to the cyberattack, though after carefully looking into the attack it wasn’t possible to exclude the probability that the attackers viewed patient information.

CarePointe mentioned it has undertaken the appropriate steps to minimize the probability of more cyberattacks, with the extra steps put in place which include better threat recognition abilities and limiting remote systems access. Impacted patients were cautioned to get a free credit report and to examine the report for indications of improper use of their personal data and PHI, and additionally to consider putting a fraud notifier on their credit accounts.

An analysis of the systems which the attackers accessed confirmed that these types of patient information might have been exposed: Name, birth date, address, Social Security number (if given to CarePointe), health insurance data, and related health data.

CarePointe reported the ransomware attack to the Department of Health and Human Services’ Office for Civil Rights indicating that around 48,742 people were affected.

12,000 Patients Affected by Revere Health Phishing Attack

The U.S. Agency for International Development (USAID) had been impersonated in a phishing attack that has led to the compromise of the protected health information (PHI) of around 12,000 Utah healthcare provider Revere Health patients. The phishing attack was quickly discovered by the Revere Health IT staff, which speedily secured the mailbox to prohibit unauthorized access. As per a breach notice posted by Revere Health, the inbox was just breached for about 45 minutes on June 21, 2021.

An investigation of the incident was started to find out if any data in the email account was read or copied. Although it wasn’t possible to ascertain if emails within the account were viewed or exfiltrated, Revere Health stated it has checked the Net and didn’t find any cases of patient information being exposed on the internet.

An evaluation of email messages and file attachments affirmed they included the PHI of patients of the Heart of Dixie Cardiology Department based in St. George. The data included medical record numbers, birth dates, names of provider, procedures, and insurance company names, although there’s no financial details or highly sensitive records.

Revere Health is convinced that the purpose of the attacker wasn’t to obtain access to patient information but to utilize the email account for a far more advanced phishing attack on Revere Health workers. Considering the limited window of opportunity and the confined nature of the information included in the account, the threat to patients is thought of to be minimal. Patients were informed to be cautious against any attempted data misuse.

Nobelium, the Russian threat group responsible for the SolarWinds supply chain attack, lately impersonated the US Agency for International Development in a phishing campaign. The campaign is continuing beginning in early 2021. The attackers acquired command of the Constant Contact email marketing account utilized by USAID, and the account was employed to send out persuasive phishing e-mails to over 350 companies. In that campaign, the objective was to send malware by impersonating real USAID email messages. At the end of May, the U.S. Department of Justice arrested two domains being utilized in the spear-phishing attacks.

Mid-Year Threat Report Reveals Huge Increase in Ransomware Attacks

Last July, SonicWall issued a mid-year Cyber Threat Report update, which confirmed a big rise in cyberattacks beginning 2020. In the first half of 2021, cryptojacking attacks rose by 23%, encrypted threats went up by 26%, IoT attacks increased by 59%, and ransomware attackers increased by 151% compared to the corresponding time period last year.

Ransomware attacks were continuously growing starting Q1 of 2020, however the rate of increase jumped substantially between Q1 and Q2 of 2021, growing by 63.1% with a total of 188.9 million attempted attacks in Q2. In June, there were 78.4 million attempted cases of ransomware attacks, which is higher than the number of attacks in the 2nd quarter of 2020 and about 50% of the number of attempted ransomware attacks in 2019. The total number of attempted ransomware attacks in the first half of 2021 was 304.7 million.

2021 is the toughest year for ransomware recorded by SonicWall, mentioned in the report.

About 73% of ransomware attacks are usually performed in the United States. But ransomware attacks are growing worldwide. In the first 6 months of 2021, there is a 180% growth in attacks in North America and a 234% increase in ransomware in Europe. The United States had a 185% spike while the UK had a 144% increase in attacks.

Within the United States, some states were greatly attacked. The worst affected state was Florida, registering 111 million ransomware incidents, which is greater than the next nine most hit states put together. New York had 26 million attempted attacks; Idaho had 20 million, and Louisiana got 8.8 million.

The most hit sector is government. 2021 had a triple increase in ransomware attacks, which is the highest point in 2020. In June, government customers were targeted about ten times the average level. The education field was also widely targeted, though attacks on healthcare clients have continued to be reasonably constant all through the first six months of the year.

The greatest ransomware threat in 2021 was the Ryuk ransomware, as 93.9 million incidents of Ryuk were recorded in the first 6 months of the year, which is thrice the level in the corresponding time period in 2020. Cerber ransomware was additionally a big threat, with 52.5 million cases were documented in the first half of 2021. The number of Cerber incidents increased dramatically in April and May. Two-thirds of the 2020 total number of SamSam ransomware attempts were recorded in June alone, having 15.7 million attack attempts.

SonicWall reports there are a number of aspects that have driven the growth in attacks. One main reason is the extreme profitability of cyberattacks. A lot of firms have paid ransoms to bring back files or to avert the leak of sensitive data stolen in the attacks.

SonicWall says cyber threat actors are likewise getting more successful at locating and encrypting backups, making recovery difficult or impossible if no payment of ransom is made. There was likewise a rise in data theft prior to deploying ransomware. Victims often pay the ransom to retrieve information even if legitimate backups exist to retrieve files.

It is becoming prevalent for threat actors to perform repeat attacks on companies that have given the ransom since there is a possibility that a second ransom will likewise be paid. Companies that pay a ransom may additionally be attacked by other threat actors that have found out that one payment was given.

There was a few not so bad news reported, for example, the significant decline of malware attacks year over year. SonicWall Capture Labs documented 2.5 billion malware attempts in the first six months of 2021, which means a 22% drop from the same time frame in 2020. There was additionally a drop in the number of malicious PDF and Office files being spread in spam and phishing emails. The use of malicious Office files dropped by 54% in 2021; malicious PDF files dropped by 13%.

University Medical Center of Southern Nevada Reports PHI Exposed During a Cyberattack in June

University Medical Center of Southern Nevada (UMC) has given another report concerning a cyberattack it suffered in June 2021 and has already affirmed the compromise of a number of patient data during the attack.

A July 29, 2021 UMC press release reported that the cyberattack took place on June 14, 2021 and was executed by a popular group of cybercriminals that make use of the stolen data for financial gain. UMC stated that it detected the suspicious activity within its IT system and took prompt action to take the attackers out of its network. UMC mentioned the breach was under control on June 15. The preliminary investigation suggested that the attackers had acquired access to selected file servers; nevertheless, the immediate action undertaken by its IT Department resulted in zero disruption to its clinical systems or patient care services.

At first, UMC stated it believes that the attackers did not access any clinical systems, even though the investigation of the incident was still not yet finished in confirming the nature and extent of the cyberattack. The forensic investigators now affirmed that selected files that contain patients’ protected health information (PHI) were affected during the attack.

The files included data like names, addresses, birth dates, Social Security numbers, medical insurance data, financial details, and certain clinical data, such as medical backgrounds, diagnoses, and test findings. UMC stated there is no evidence found that suggests the misuse of any particular patient data.

UMC is currently sending notification letters to all persons possibly impacted by the attack and provided free identity theft protection services.

UMC mentioned it informed the FBI and the Las Vegas Metropolitan Police Department regarding the cyberattack and is working together with third-party cybersecurity experts and will be employing more internal and external applications to increase the security of patient information and avoid other cyberattacks.

Cyberattack at UF Health States PHI, Eskenazi Health and Sandford Health

On May 31, 2021, UF Health Central Florida encountered a cyberattack that impacted The Villages Hospital and Leesburg Hospital. UF Health announced the security breach within a couple of hours after discovering the attack, though during the time it was uncertain if any patient information was exposed in the attack.

A breach investigation was performed to figure out if the attackers got access to its computer system from May 29 to May 31, 2021, and although there is no confirmation of unauthorized access to patient information yet, UF Health already reported the potential access to some patient information. The exposed information involved names, addresses, birth dates, Social Security numbers, medical insurance details, patient account numbers, medical record numbers, and some treatment data.

UF Health stated that the attack did not affect its electronic medical records, nor its Jacksonville or Gainesville campuses. UF Health mentioned it is convinced that there is no misuse or exposure of any exposed information; nevertheless, as a safety measure against identity theft and fraud, impacted people are being provided credit monitoring and identity theft protection services for free. UF Health stated it is doing something to avert other attacks, such as improving the defenses of its electronic systems and fortifying security for sensitive information.

UF Health did not say to the public if there was ransomware involved in the cyberattack, however, a number of local media outlets reported the involvement of ransomware and the demand for $5 million ransom by the attackers.

Attempted Ransomware Attack Reported by Eskenazi Health

Eskenazi Health located in Indianapolis, IN is coping with an attempted ransomware attack, which happened on the morning of August 4, 2021. According to Eskenazi Health, its tracking systems worked as they ought to and proactively powered down its network to control the attack.

Eskenazi Health followed the emergency procedures and the so ambulances are diverted to other establishments to make sure that patients are safe. Eskenazi Health is presently working to restore its systems on the web. At this point, its tracking systems state that patient and employee information were not jeopardized in the attack.

Sandford Health Suffers Cyberattack

Sandford Health in Sioux Falls, SD stated it was a target of an August 3, 2021 cyberattack which is currently being resolved. Sanford President and CEO Bill Gassen affirmed its IT Staff took hostile steps as a reaction to the attempted cyberattack and it is doing everything it can to lessen trouble and giving excellent care to its patients is still its top one goal.

No other information has been revealed regarding the particular nature of the breach, however, at this point, it doesn’t seem that the records of employees, patients, or residents were exposed. Top IT security professionals were involved and are helping to handle the breach response and inquiry and additional details will be published when it is accessible.

Guidehouse Reports Breach Impacting Several Healthcare Provider Clients

Community Memorial Health System based in Ventura, CA, Cayuga Medical Center based in Ithaca, NY-based, and Lehigh Valley Health Network based in Allentown, PA were impacted by a cyberattack at a vendor, which is a business associate.

The three healthcare companies utilized Guidehouse as a provider of their medical billing and collection services. Hackers accessed the Accellion File Transfer Appliance (FTA) utilized by Guidehouse for sending files to customers on January 20, 2021. For Community Memorial Health System patients, the files contained sensitive patient data like names, birth dates, member ID addresses, and selected medical data. For Cayuga Medical Center patients, the names, birth dates, insurance account numbers, and selected medical data were possibly exposed. For Lehigh Valley Health Network patients, the possibly exposed information includes names, account numbers, medical record numbers, dates of service, diagnosis and treatment procedure names, billing or payer details and names of the provider.

Accellion notified Guidehouse regarding the cyberattack in March 2021 and promptly ceased utilizing the FTA service. Prominent cybersecurity professionals helped with the breach investigation and response. Guidehose notified the affected clients concerning the breach on May 21, 2021.

Guidehouse issued breach notification letters to impacted entities on July 16, 2021. The late sending of notifications was because of the time spent to determine the people impacted and to verify contact information.

Although the hackers obtained some data during the attack, Guidehouse mentioned it is not aware of any incidents of stolen data misuse. Nevertheless, as a safety measure against identity theft and fraud, impacted people will get a free Experian IdentityWorks credit monitoring service membership for two years.

The incident is not yet posted on the HHS’ Office for Civil Rights breach website, therefore the number of affected patients at the three healthcare companies is still uncertain.

A few more healthcare companies in the United States were impacted by the Accellion FTA cyberattack, such as Kroger Pharmacy, Health Net, Trillium Health Plan, Trinity Health, Arizona Complete Health, Stanford Medicine and Centene Corp.

PHI Possibly Compromised in Eye Center and Law Company Ransomware Attacks

Francisco J. Pabalan MD of Pabalan Eye Center based in Riverside, CA has announced a ransomware attack that has affected around 50,000 patients.

The center discovered the ransomware attack on March 3, 2021. The investigation confirmed that the attack started on March 1. The threat actors encrypted files on servers and computers thus preventing patient data. They also asked for a ransom to restore the patient data. All impacted computers and servers had been backed up prior to the attack, therefore encrypted data recovery is possible even if not paying the ransom.

The investigation did not find any evidence of data theft. The ransomware attack seems to have been conducted just to bring about disruption to services in order to get cash from the practice. Following the attack, all computers and servers were changed prior to the installation of operating systems and software program, and patient information was then restored from backups.

Extra security steps have been implemented, such as using new anti-virus and anti-ransomware application, a new Security Rule Risk Management Plan, and a new data encryption technology. New technical security measures were brought in to strengthen security, such as new, secure VPN-protected connections to servers, up-to-date password policies, and extra training provided to the employees to help with the recognition of security risks. Moving onward, regular technical and non-technical assessments and updates will be carried out.

Although it does not appear that the attackers obtained financial details, all affected patients were instructed to be cautious and keep track of their account statements and for any indications of identity theft or scam. Protected health information (PHI) possibly compromised in the incident includes scanned insurance forms, examination findings, imaging, diagnostic screening, and scanned past medical data.

Campbell, Conroy, O’Neill Law Agency Reports a Ransomware Attack

Campbell, Conroy, O’Neill law firm located in Boston, MA has announced a ransomware attack on or roughly February 27, 2021.

The attackers encrypted selected files on its systems which hindered access. The investigation suggested the attacker had accessed files that contain sensitive data in the attack. It was not possible to know whether the threat actor saw or obtained data associated with particular individuals.

The types of information contained in the files varied from one person to another. One or more of the following data elements are included: names, dates of birth, state identification numbers, driver’s license numbers, financial account details, Social Security numbers, passport numbers, payment card details, health data, health insurance details, biometric information, and online account credentials like usernames and passwords.

Campbell, Conroy, O’Neill has performed an evaluation of guidelines and procedures and more safeguards are being executed to stop more attacks. Persons whose Social Security number was possibly exposed in the incident were given a complimentary 2-year membership to fraud consultation, credit checking, and identity theft restoration services.

Ransomware Attacks Reported by Professional Business Systems and Prima Pediatrics

Professional Business Systems, Inc. doing business as Practicefirst Medical Management Solutions and PBS Medcode Corp, a medical management services provider for healthcare companies, has encountered a ransomware attack that allowed the attackers to acquire patient information

The service provider discovered the ransomware attack on December 30, 2020, and immediately shut down its systems in order to restrict the attack and informed law enforcement. Third-party cybersecurity specialists investigated the occurrence.

Practicefirst hasn’t affirmed if the ransom was paid however it said that the attacker assured that the files stolen from its systems were destroyed and won’t be further exposed.

There were no known cases of patient data misuse; nevertheless, all impacted persons were instructed to keep track of their accounts for any indication of falsified activity.

The types of patient data included in the breached files were different from one patient to another and might have contained the data elements listed below:

name, address, email address, birth date, driver’s license number, Social Security number, laboratory, diagnosis, and treatment data, patient ID number, medication data, medical insurance identification and claims data, tax ID number, employee username and password, employee username and security Q&A, and bank account and/or debit card/crebit card data.

Extra security techniques were since put in place to better secure its email, network and other IT programs.

Prima Pediatrics Experiences Suspected Ransomware Attack

Prima Pediatrics detected the compromise of some of its computer programs and the installation of malware that caused a number of its computer systems to be non-functional and the information saved on those systems unavailable.

Prima Pediatrics stated the majority of the information on the impacted computers is believed to have been encrypted during the attack, and there was no information regarding the improper usage of patient information. The investigation found no proof to indicate the exfiltration of any patient information by the attackers. The impacted systems contained the following protected health information (PHI): names, diagnoses, and medical illnesses, and medical backgrounds.

All patients possibly impacted by the breach were informed and instructed to keep track of their accounts and explanation of benefits reports for any indication of bogus activity. Prima Pediatrics is going to assess and update its privacy and information security policies and processes to avoid the same cases from happening again.

Elekta Cyberattack Impacts Northwestern Memorial HealthCare and Renown Health Patients

Northwestern Memorial HealthCare in Chicago, IL and Renown Health in Reno, NV were impacted by a cyberattack on Elekta, one of their business associates that provide a software system utilized for clinical radiotherapy for patients with cancer and brain ailments.

Elekta in Stockholm discovered the data breach and released a statement to confirm unauthorized access to its first-generation web-based storage system, which impacted a part of its North American customers.

Elekta is cooperating with the authorities and third-party cybersecurity specialists to find out specifically how the breach happened and the character and extent of the breach. Elekta began informing impacted healthcare providers in April 2021.

Elekta’s investigation showed that its systems were attacked from April 2, 2021 to April 20, 2021. The attackers got access to its systems and exfiltrated data that included the data of oncology patients, however, the breach only affected Elekta’s systems. There was no compromise of any systems belonging to its healthcare provider clients.

Northwestern Memorial HealthCare stated the database contained data like patient names, birth dates, Social Security numbers, medical insurance data, medical record numbers, and clinical data associated with cancer treatment, including medical records, doctor names, dates of service, treatment details, diagnoses, and/or prescribed medicine details.

Renown Health submitted a breach report indicating the compromise of 65,181 patients’ data such as names, addresses, Social Security numbers, birth dates, diagnoses, medical treatment details, appointment schedules and other patient data like weight and height.

Northwestern Memorial Healthcare stated the database comprised the protected health information (PHI) of 201,197 oncology patients who got treatment from a hospital in the list below:

  • Northwestern Medicine Delnor Community Hospital
  • Northwestern Medicine Central DuPage Hospital
  • Northwestern Medicine Huntley Hospital
  • Northwestern Medicine Lake Forest Hospital
  • Northwestern Medicine Kishwaukee Hospital
  • Northwestern Memorial Hospital
  • Northwestern Medicine McHenry Hospital
  • Northwestern Medicine Valley West Hospital
  • Northwestern Medicine Valley West Hospital

Although data theft was established, Elekta reported there is no misuse or exposure of any patient data.

Northwestern Memorial Healthcare stated that people who had their Social Security number compromised will receive free credit monitoring and identity theft protection services. Renown Health mentioned Elekta is offering free identity checks, fraud consultation, and identity theft restoration assistance.

There’s a total of 42 healthcare systems are considered to have been impacted by the breach. In several instances, impacted facilities had to temporarily stop cancer treatments and coordinate patient treatment at other healthcare facilities.

The breach also impacted the following:

  • 8,000 patients of Cancer Centers of Southwest Oklahoma, OK
  • 4,687 patients of Charles Health System, OR
  • 200+ patients of Yale New Haven, CT
  • Unknown patients of Carle Health, IL
  • Unknown patients of of Lifespan, RI
  • Unknown patients of Southcoast Health, MA

Maximus Data Breach Impacts 334,000 Medicaid Healthcare Service Providers

Ohio Medicaid has reported a data breach encountered by Maximus Corp, its data manager, that resulted in the compromise of the personal data of Medicaid healthcare companies.

Maximus is an international vendor of government health information services. Because the company provides those services, it gets access to the personal data of Medicaid healthcare companies. On May 19, 2021, Maximus learned that unauthorized individuals accessed a server containing the personal data furnished to the Ohio Department of Medicaid (ODM) or to a Managed Care Plan from May 17 to May 19, 2021.

When Maximus discovered the breach, it took the server off the internet to block the attacker’s unauthorized access. A top-rated third-party cybersecurity company is investigating. the incident The cybersecurity company stated that the breach was limited to a program on the server and did not affect any other servers, programs, or systems.

There is no evidence identified that shows the misuse of any data inside the application, though data theft cannot be eliminated. The program was utilized for the requirement of credentialing or tax identification associated with the function of every individual as a healthcare service provider.

The application contained the following types of sensitive information: names, Social Security numbers, birth dates, and Drug Enforcement Agency numbers. According to Maximus, the breach did not affect persons covered by Medicaid.

Maximus stated the quick identification of the breach confined possibly negative impacts; nevertheless, because there is a probability of data theft, it sent notifications to all people affected on June 18, 2021. The company also offered free credit monitoring services for 2 years.

Maximus already reported the breach to the Maine Attorney General indicating that 334,690 people were affected. Those people are based in several U.S. states.

PHI of Approximately 500,000 People Potentially Stolen During the Wolfe Eye Clinic Ransomware Attack

Wolfe Eye Clinic, which manages a network of eye health clinics across Iowa, has reported its encounter with a ransomware attack on February 8, 2021. Attackers acquired access to its networks, deployed ransomware and encrypted files. Much like in most ransomware attacks today, before file encryption, the hackers exfiltrated information from Wolfe Eye Clinic systems. The clinic received a ransom demand in exchange for the file decryption keys, however, it opted not to pay the ransom and retrieve files from backup copies. .

Wolfe Eye Clinic mentioned in its substitute breach notification letter that prompt action was undertaken to protect its network. Third-party IT security and forensic experts were involved to find out the nature and scope of the security breach. Because of the degree and sophistication of the attack, the team only determined the full scope of the security breach on May 28, 2021 and identified the data exposed during the attack.

The forensic inquiry, which ended on June 8, 2021, confirmed that the hackers viewed and exfiltrated the information of present and past patients. The stolen protected health information (PHI) contained names, contact information, dates of birth, Social Security numbers, and for certain persons, medical data.

Wolfe Eye Clinic began sending notification letters to impacted persons and offered free identity theft protection and credit monitoring services for one year via IDX. Wolfe Eye Clinic explained it is carrying out more safety measures to stop other attacks.

The attackers seem to have exfiltrated a huge volume of data. According to KCCI Des Moines, the incident impacted around 500,000 people, so this is regarded as one of the biggest ransomware attacks on one healthcare company that has been reported this 2021.

Scripps Health Ransomware Attack Affects 147,000 Individuals

Scripps Health, the 2nd biggest healthcare organization in San Diego, has commenced delivering breach notification letters to 147,267 individuals to inform them regarding the theft of their private and health information because of a ransomware attack on May 1, 2021.

The attack pushed Scripps Health to undertake its EHR downtime processes because its systems were not accessible online. Personnel at its medical clinics and hospitals were made to refer to paper charts as systems were repaired and records were restored. That course of action took more or less a month when access to vital patient data like test findings was blocked. Scripps Health merely obtained the potential to make new files a week ago when the MyScripps patient website was recovered on the internet.

The attack impacted numerous of the healthcare provider’s care websites and prompted interruption to procedures at two of its hospitals. Scripps Health decided to redirect a number of critical patients to other establishments, with all four of its primary hospitals set on emergency care diversion for heart attack, trauma, and stroke patients. Many non-urgent visits at the same time had to be deferred in the days after the attack.

Scripps Health stated its principal Epic medical record system had not been breached, although before the ransomware deployment the threat actors got records that included patient information like names, dates of birth, addresses, medical insurance details, patient account numbers, medical record numbers, and a number of clinical data, for instance, physicians’ names, dates of service, and treatment details. The attackers additionally acquired the Driver’s License Numbers And/or Social Security Numbers of about 3,700 people. FreeFree credit monitoring and identity protection support services are being given to those persons.

Scripps Health has started a manual evaluation of the records breached in the attack and mentioned that it is a time-intensive procedure that will most likely take a few months. It isn’t yet known what are the rest of the information the documents have, reported Scripps Health in its statement concerning the attack and stated notification letters are being delivered to impacted people right away.

It is sad that a lot of health care establishments are struggling with the effects of a growing cyber threat environment. Nevertheless, Scripps is implementing enhancements to our data security, systems, and checking functionalities. It is likewise working directly with federal authorities to support the continuing investigation.

Ransomware Attacks Affect Patients of Community Access Unlimited and CareSouth Carolina

13,813 Individuals Affected by Community Access Unlimited Ransomware Attack

Community Access Unlimited based in Elizabeth, NJ has begun sending notifications to 13,813 individuals that their PHI was saved on systems that had been accessed by unauthorized people.

On November 10, 2020, Community Access Unlimited recognized suspicious activity in its internal systems. The provider immediately took down its systems, and third-party forensics experts were engaged to find out the nature and scope of the breach.

The investigation confirmed that unauthorized people accessed its systems from June 29, 2020 to November 12, 2020, however, it was not possible to find out whether the attackers viewed or exfiltrated any patient information.

An analysis of the exposed systems revealed the following data may probably have been accessed or copied: Names, dates of birth, state identification card numbers,
driver’s license numbers, non-resident identification numbers, health data, medical insurance beneficiary numbers, and usernames and passwords.

Policies and procedures have since been analyzed and made better to lessen the potential for other attacks. Impacted persons were already alerted and complimentary credit monitoring and identity restoration services were provided to possibly impacted persons.

76,035 CareSouth Carolina Patients Affected by Ransomware Attack

CareSouth Carolina based in Hartsville, SC has informed 76,035 patients regarding the potential compromise of some of their protected health information (PHI) in a ransomware attack on Netgain Technologies, its IT vendor.

Netgain informed CareSouth Carolina on January 14, 2021 that the company had suffered a ransomware attack in December 2020, and the hackers got access to its servers that contain patient records from late November, part of which was exfiltrated prior to the deployment of ransomware.

On April 13, 2021, Netgain furnished CareSouth Carolina a copy of the information that was likely breached. CareSouth Carolina carried out an evaluation of the information and on April 27, 2021 stated that the dataset comprised patient names, address, date of birth, diagnosis/medical conditions, lab test results, medicines, and other clinical details. For some patients, Social Security numbers were also involved.

The threat actors sent Netgain a ransom demand and threatened to sell the stolen records if no payment was made. Netgain made the decision to give the ransom payment and acquired assurances that the stolen files were deleted and were not further shared.

Since the data breach, Netgain and CareSouth have implemented extra security steps to avoid any repeat attacks, and CareSouth is providing affected patients zero-cost identity theft protection services.

Healthcare Providers Announce Recent Ransomware Attacks Affecting Patients

In the aftermath of the ransomware attack on Colonial Pipeline, a number of ransomware gangs like REvil and Avaddon said that they have enforced new regulations that necessitate their affiliates to get permission prior to attacking a target, and that attacks on healthcare companies had been prohibited. Nonetheless, a lot of ransomware-as-a-service operations have not enforced prohibitions and healthcare providers are still getting targeted. Lately, a number of healthcare organizations have been confirmed as having attacks.

San Diego Family Care

San Diego Family Care (SDFC) in California has reported that it experienced the impact of a ransomware attack in December 2020. SDFC as well as its business associate Health Center Partners of Southern California (HCP) were impacted by a ransomware attack on their information technology hosting vendor. It was reported that Netgain Technologies. Netgain Technologies paid a $2.3 million ransom to acquire the keys to unlock the encrypted files and informed SDFC and HCP on January 20, 2021 regarding the compromise of the protected health information (PHI) of their patients.

SDFC and HCP were given a copy of the affected data and performed an evaluation to know which people were impacted and the types of information affected. The analysis was done on April 11, 2021 and so far, 125,500 patients are known to have been impacted.

SDFC explained in its substitute breach notice that the following types of data were breached: Names, Social Security numbers, government identification numbers, financial account numbers, dates of birth, medical diagnosis or treatment data, health insurance details, and/or client IDs. Affected persons received breach notification letters by mail on May 7, 2021.

SAC Health Systems

SAC Health Systems based in San Bernardino, CA also became a victim of the ransomware attack on its now past IT service provider, Netgain Technologies. SAC Health Systems was informed by Netgain Technologies on January 15, 2021 concerning the access of the ransomware gang to its servers containing patient information between November 15, 2020 and November 22, 2020.

SAC Health Systems stated on April 20, 2021 that the ransomare attack affected 28,128 individuals. The types of records exposed included names, birth dates, addresses, Social Security numbers, driver’s license numbers, state identification numbers, tax IDs, financial account data, medical histories, electronic signatures, medical insurance details, medical record numbers, doctor names, prescription details, and reason for absence. All impacted people are now being alerted.

Harper County Community Hospital

Harper County Community Hospital based in Oklahoma has reported that it experienced a ransomware attack on March 24, 2021 that resulted in the potential compromise of the PHI of 5,725 patients.

The hospital stated the attack did not affect patient medical records, however workstations and common drives were affected, and they comprised files having first and last names, birth dates, residence addresses, Social Security numbers, patient account numbers, diagnoses, and medical insurance data.

Harper County Community Hospital had taken prompt corrective actions and has enforced extensive IT security practices, backup procedures, and made updates to its HIPAA policies and guidelines. All impacted persons are currently being informed concerning the attack.

Rehoboth McKinley Christian Health Care Services Reports a Ransomware Attack

RMcKinley Christian Health Care Services (RMCHCS) based in Gallup, NM has reported it had been attacked by ransomware in February 2021 resulting in the exfiltration of patient information.

The Conti ransomware gang attacked in February and took a selection of sensitive information, which includes job application records, background check data, staff reports, and patients’ protected health information (PHI). A portion of the compromised files was published to the Conti data leak website to compel the healthcare organization to pay the ransom demand. The information is not posted on the leak website now, however, it is uncertain if the company paid the ransom.

RMCHCS found out on February 16, 2021 that a ransomware group stole the patient information. RMCHSC employed a third-party computer forensics agency to look into the attack and it was confirmed that the attackers exfiltrated information from January 21 to February 5, 2021. An analysis of the files possibly viewed by the attackers was done on April 30, 2021. RMCHCS sent breach notification letters to the affected persons.

RMCHCS stated the attackers possibly accessed the following information: names, addresses, phone numbers, email addresses, birth dates, dates of service, driver’s license numbers, Social Security numbers, password numbers, tribal ID numbers, medical insurance data, medical record numbers, names of providers, diagnoses, treatment details, prescribed medication data, financial account data, and billing and claims information. The types of information possibly compromised different from one person to another.

RMCHCS offered free identity monitoring and restoration services to the people impacted by the breach and has taken steps to strengthen its systems against cyberattacks and improved security and monitoring.

The breach is found to have impacted 209,280 people.

PHI Exposed Due to the University of Florida Health Shands, St. Paul’s PACE and St. John’s Well Child and Family Center Breaches

University of Florida Health Shands has found out that an old employee has accessed the medical information of 1,562 patients without valid authorization.

The HIPAA violations were identified on April 7, 2021. The provider quickly blocked the employee’s access to health files pending an investigation. The investigation affirmed the worker had been viewing patient medical records with no valid work reason for doing so from March 30, 2019 to April 6, 2021.

The following types of information might have been viewed: names, phone numbers, addresses, birth dates, and lab test results, however no Social Security numbers, financial data, or health insurance data was compromised.

University of Florida Health Shands is convinced that no PHI was stolen or further breached; nevertheless, as a safety precaution, affected people were provided one year of complimentary credit monitoring services.

Third-Party Breach Affects Patients of St. Paul’s PACE

Community Eldercare of San Diego, doing business as St. Paul’s PACE, was impacted by a breach that occurred at one of its suppliers. Health plan management company, PeakTPA, provides billing and other admin services to St. Paul’s PACE. PeakTPA experienced a cyberattack on December 31, 2020 that resulted in the compromise of the records of selected St. Paul’s PACE patients.

Even though the cybercriminal gang behind the attack was not brought up in its breach notice, PeakTPA stated the FBI split up the gang on January 27, 2021 and that all stolen documents in the attack were retrieved. The timing indicates the Netwalker ransomware gang may have done the attack.

PeakTPA stated that the attackers might have gotten information such as names, addresses, dates of birth, medication details and Social Security numbers. Affected persons received offers for 3-years free credit monitoring, fraud consultation, and identity theft restoration services by Kroll. PeakTPA stated that it has implemented extra security measures to avert similar breaches later on.

Cyberattack Impacts 29,000 Patients of St. John’s Well Child and Family Center

St. John’s Well Child and Family Center, Inc. located in West Sacramento, CA is sending notifications to 29,030 people about a cyberattack on February 3, 2021 that resulted in the potential exposure of some of their protected health information.

When the family center discovered the attack, it took steps promptly to secure its systems and engaged third-party cybersecurity specialists to assist with the breach investigation. The investigation affirmed that the attackers probably accessed or obtained PHI like names, Social Security numbers, and other personal or medical data.

People who had their Social Security number likely compromised were offered complimentary credit monitoring and identity theft protection services for a year.

Ransomware Attack on New York Medical Group and Entrust Medical Billing

Orthopedic Associates of Dutchess County, a New York medical group practice, has reported the potential theft of protected health information (PHI) of certain patients in a recent cyberattack .

The security breach was discovered on March 5, 2021 after identifying suspicious activity in its systems. An investigation into the breach established the unauthorized access of some individuals in its network on or around March 1, 2021. The attackers acquired access to selected systems and encrypted files and gave a ransom demand to acquire the keys to decrypt the files.

The attackers maintained they had taken sensitive data prior to encrypting the files, though it was not possible to determine which files had been stolen. An evaluation of the systems, which the hackers accessed revealed they included files having PHI like names, email addresses, addresses, contact telephone numbers, dates of birth, payment information, emergency contact details, diagnoses, treatment data, medical record numbers, health insurance details, and Social Security numbers.

People possibly affected by the breach were informed by mail and were provided a 12- month complimentary membership to credit monitoring and identity theft protection services. Currently, there are no reports of attempted or actual misuse of any patient information.

The breach resulted in the potential compromise of the protected health information of 331,376 people.

PHI of 5,426 Persons Compromised in Entrust Medical Billing Ransomware Attack

Entrust Medical Billing, a medical billing company based in Canton, OH, has experienced a ransomware attack that resulted in the probable exposure of the PHI of 5,426 persons.

Third-party cybersecurity specialists were called in to help with the investigation and figure out the magnitude of the security breach. On or approximately March 1, 2021, the investigation affirmed that the attackers had exfiltrated some of the files containing PHI such as names, birth dates, addresses, medical diagnosis/clinical data/treatment type or location, medical procedure details, medical insurance data, and patient account number.

Although the investigation confirmed the data theft, there is no evidence found that indicates actual or attempted misuse of the stolen data. Affected people have now been informed and those who had their Social Security numbers compromised received offers of free credit monitoring services. The company also implemented new technical safeguards and increased its monitoring efforts across its network environment.