Data Breaches Reported by the Chattanooga Heart Institute, Mulkay Cardiology Consultants, and Plastic Surgery Clinics

Cyberattack Victim Count Doubles at the Chattanooga Heart Institute

The Chattanooga Heart Institute located in Texas has reported the compromise of the protected health information (PHI) of 411,383 persons in a cyberattack that was uncovered on April 17, 2023. Chattanooga Heart Institute informed the HHS’ Office for Civil Rights and the Maine attorney general concerning the cyberattack on July 28, 2023. The notification initially indicated that the PHI of 170,450 individuals was affected. However, a breach notification update was already provided to the Maine Attorney General to report that the data breach had more victims than the initial count given.

The investigation into the cyberattack is still in progress. However, there is already a report on the unauthorized third party that got access to its system from March 8 to March 16, 2023, and extracted files that contain patients’ PHI. Although there was no breach in its electronic medical record system, the extracted files included data like names, email addresses, addresses, telephone numbers, birth dates, driver’s license numbers, Social Security numbers, medical insurance data, diagnoses, laboratory results, conditions, prescription drugs, account data, and other clinical, financial and demographic data.

The impacted persons were provided free credit monitoring services for one year and steps were taken to enhance security to stop more attacks. There was no mention in the notification letters that the Karakurt threat group professed to be behind the attack.

NoEscape Ransomware Group Exposes Data Stolen from Mulkay Cardiology Consultants

The NoEscape ransomware group has exposed information purportedly stolen from Mulkay Cardiology Consultants based in New Jersey. Based on the listing, the stolen information included over 60 GB of private and personal data, which contained the PHI of 30,000 patients. The exposed information consists of names, birth dates, addresses, telephone numbers, medical insurance policy numbers, medical cards, access cards, medical records, driver’s licenses, diagnostic information, Covid certificates, and other confidential data. Also included were sample photos and 2.43 GB of downloadable information.

NoEscape is a somewhat new ransomware group that initially came out in May 2023. The Health Sector Cybersecurity Coordination Center recently released a NoEscape Analyst Note regarding the group that contains information on its tactics, techniques, and procedures, and guidelines for improving security. Mulkay Cardiology Consultants has not posted yet any breach notice on its website and the cyberattack is not yet displayed on the HHS’ Office for Civil Rights breach website.

Extortion Groups Target Plastic Surgery Clinics

Cybercriminal groups are targeting U.S. plastic surgery offices, acquiring access to their systems, stealing information, and attempting to extort from the clinics and their patients, as per a new public service statement by the U.S. Federal Bureau of Investigation (FBI).

There have been a number of attacks on plastic surgery companies recently. Although ransomware may have been employed in these attacks, the main reason for the attacks is to get sensitive patient information, which may consist of health records and sensitive pre- and post-surgery pictures. Plastic surgery centers are provided a ransom demand, which if paid will stop the exposure of the stolen information. In certain instances, sensitive patient information and pictures have been published on the internet, and the attackers have tried to demand money directly from the patients. In May 2023, the attack on cosmetic surgeon, Gary Motykie, M.D. from Hollywood, CA, was asked to pay a $2.5 million ransom to stop the leakage of the stolen information. A number of the practice’s patients were called directly and instructed to pay to unpublish their sensitive data.

Based on the FBI, the threat actors utilize technology to conceal their true telephone numbers and email addresses and employ phishing emails to spread malware. The malware gives access to internal secured computers, allowing them to harvest sensitive information, such as photographs. The threat actors were seen enhancing the stolen information using information obtained from social networks, and have likewise employed social engineering techniques to improve the collected ePHI records of plastic surgery patients. The improved data is utilized for extortion and for other scams. The threat actors get hold of plastic surgery doctors and their patients by means of the telephone, email, text messages, and social networks. Sensitive ePHI is disclosed to the patient’s friends, loved ones, fellow workers, and colleagues, and public-facing sites are used to talk about the stolen information.

The FBI has provided guidelines on how to enhance security and minimize the chance of becoming victims of these attacks. These actions include going over the privacy options of social networking accounts and preferably making accounts private to restrict what people can read and what can be shared by other people on profiles. Accepting friend requests must be done with care, and audits must be done of friends to make sure they are all identified persons. Accounts must be set up in a way that friends are only visible to known persons. MFA and strong, unique passwords must likewise be employed for all accounts, particularly email, social media, and financial accounts. Use a password manager to generate strong, unique account passwords and store them safely. Bank accounts and credit reports must likewise be regularly examined for suspicious activity.

Although not stated in the notice, plastic surgery clinics must make sure that they implement cybersecurity guidelines like using strong passwords and activating multifactor authentication. They should also use endpoint detection programs and effective anti-phishing regulators.