Data Breaches at Cardiovascular Consultants and ESO Solutions Impacts Over 3M Individuals

Cardiovascular Consultants Data Breach Impacts 484,000 People

Cardiovascular Consultants Ltd. based in Arizona has centers in Phoenix, Glendale, and Scottsdale. It submitted a data breach report to the HHS’ Office for Civil Rights that impacted the protected health information (PHI) of 484,000 persons.

Cardiovascular Consultants discovered suspicious activity within its computer network on September 29, 2023 and began implementing incident response and recovery processes. A third-party cybersecurity firm investigated the incident, which showed that unauthorized people got access to its network on approximately September 27, 2023.

Cardiovascular Consultants already confirmed that the hackers stole files that contain sensitive information and utilized ransomware to encrypt files on its network. The review of the compromised files showed that they contain patient information including names, dates of birth, mailing addresses, emergency contact data, driver’s license numbers, Social Security numbers, state ID numbers, insurance policy and guarantor facts, diagnosis and treatment details, and other data from healthcare or billing records.

The information of account guarantors was likewise saved on the breached sections of the system, which include names, birth dates, mailing addresses, email addresses, and phone numbers, as well as details regarding insurance policy holders/subscribers like names, phone numbers, mailing addresses, birth dates, insurance policy details, and, in certain instances, Social Security numbers.

Impacted persons were informed concerning the breach on December 2, 2023, and provided with free credit monitoring, identity theft protection, and fraud resolution services for two years. Cardiovascular Consultants has stated that supplemental security procedures were put in place to enhance its protection against cyberattacks.

2.7 Million Individuals Impacted by ESO Solutions Data Breach

ESO Solutions, a company providing software programs for hospitals, health systems, fire departments, and EMS agencies, has reported encountering a ransomware attack and file encryption in September 2023. ESO Solutions discovered suspicious activity inside its system on September 28, 2023, and immediately isolated its systems to stop further unauthorized network access.

Third-party digital forensics specialists investigated the ransomware attack to find out the scope of the unauthorized activity. The forensics staff reported on October 23, 2023 that the attackers got access to sections of its system that contain the personal data and PHI of 2.7 million people. The exposed data included names, birth dates, injury type and date, treatment type and date, and, in certain instances, Social Security numbers. After receiving a report on the attack, the Federal Bureau of Investigation and ESO Systems have worked together to investigate. The attackers issued a ransom demand but ESO Systems failed to restore the encrypted files using its backups.

ESO Systems informed its impacted clients and frequently contacted them to help them respond appropriately to the incident and offered to notify the patients of its clients. ESO Systems began sending notification letters by mail on December 12, 2023. Impacted persons have been provided with free credit monitoring and identity theft protection services via Kroll.

The healthcare providers listed below are confirmed to have been impacted:

  • Ascension – Ascension Providence Hospital in Waco
  • Baptist Memorial Health Care System – Mississippi Baptist Medical Center
  • Community Health Systems – Merit Health River Oaks and Merit Health Biloxi
  • CaroMont Health
  • ESO EMS Agency
  • Forrest Health – Forrest General Hospital
  • HCA Healthcare – Alaska Regional Hospital
  • Memorial Hospital at Gulfport Health System – Memorial Hospital at Gulfport
  • Providence St Joseph Health (also known as Providence) – Providence Alaska Medical Center and Providence Kodiak Island Medical Center
  • Tallahassee Memorial HealthCare – Tallahassee Memorial
  • Universal Health Services (UHS) – Desert View Hospital and Manatee Memorial Hospital

Considering that patient security and personal data are in danger, companies must not delay fortifying their cybersecurity measures. On a typical day, over 55,000 physical and digital resources are linked to organizational systems; 40% of these resources are not tracked – leaving gaps that can be exploited. Attackers are attacking these gaps. This incident shows that incorrect access to one device can result in problems for a company. This attack likewise shows the value of educating companies that resources include not only hardware or medical gadgets. Other assets that could be attacked consist of data artifacts, virtual assets, personal health data, and user access. It’s important for healthcare companies to not just check out cyber threats from a vulnerability viewpoint, but likewise consider assets aiding medical workflows or saving patient data. By having a detailed inventory of assets, companies can prioritize necessary controls and risk reduction strategies to help address and mitigate cyberattacks. Monitoring all resources for suspicious activities, and connection attempts, and assessing other facets of attempted access gives the level of visibility required to help set up precautionary policies.

To enhance their protection against ransomware attacks, healthcare companies of all types need to prioritize cyber exposure management to minimize all cyber asset risks, control vulnerabilities, prohibit threats, and safeguard the whole attack surface. Security and IT professionals should also look at integrating critical techniques into their cybersecurity programs, such as network segmentation, to boost healthcare cybersecurity. Separating a network is a big project that can last several years, nevertheless, it is the project that will achieve the most risk reduction in a healthcare system.

What’s important for these plans is the correct planning and knowing that a segmentation project is going to have the following phases:

  • discovery and inventory
  • behavioral and communication mapping
  • policy creation, prioritization, testing, implementation, and automation

A risk-based prioritization strategy where the traditional approach to segment lists according to manufacturer or type is set aside. Instead, companies can accomplish a significantly faster ROI by determining and separating critical vulnerable gadgets first to accomplish the greatest risk reduction upfront. Cybersecurity experts at healthcare companies must integrate these types of products and strategies immediately to help in stopping these types of attacks from affecting their companies directly, and for safeguarding them and their patients after an attack against a third-party supplier.