Warned of an impending attack, a Nebraska healthcare center was able to avert it

Brian Mastre reports: There were tense moments a month ago at the Butler County Health Care Center in David City, Nebraska. The IT director received a call from the Omaha FBI with a warning that this place was the target of a cyberattack. […] “Exactly when it was going to spread and when they were going to initiate the ransomware attack is not for sure. It could have been in minutes, hours or weeks,” said Agent Ken Schmutz, Omaha FBI Supervisor of the Cyber Task Force. The hospital averted the attack and no patient information was compromised. The Omaha FBI says the tip came from investigators in Ireland who then relayed it to the U.K. and to Nebraska. Read more at WOWT. This is somewhat fascinating to me that investigators in Ireland found out about it. Why they would relay it to the U.K. instead of directly to Nebraska is a bit of a puzzle, unless they thought the attackers were in the U.K. and wanted to let law enforcement there know?  

Salinas Valley Memorial Healthcare System settles class action lawsuit for $340K

Salinas Valley Memorial Healthcare System has agreed to pay $340,000 to resolve claims lax cybersecurity resulted in a 2020 data breach. Five employee and contractor email addresses were reportedly compromised in April, May and June of 2020 through a phishing scheme.  As Salinas claimed in their notification of July 1, 2020: On April 30, 2020, SVMHS determined that the email account of one of its employees had been compromised. On May 7, 2020 and June 5, 2020 respectively, SVMHS subsequently determined that email accounts of a contractor and three other employees were also compromised. These five email accounts were compromised through Outlook Web Access, SVMHS’s browser-based email access solution. The incident was reported to HHS on June 29, 2020 as impacting 2,384 patients. In closing its investigation into the incident, HHS wrote: The covered entity (CE), Salinas Valley Memorial Healthcare System, reported that several workforce members were the victims of an email phishing attack that affected the electronic protected health information (ePHI) of 2,384 individuals. The ePHI involved included demographic and clinical information such as names, addresses, dates of birth, other identifiers, diagnoses/conditions, medications, and other treatment information. The CE notified HHS, affected individuals, and the media. In addition, the CE offered complimentary credit monitoring services to all affected individuals. In response to the breach, the CE sanctioned the workforce members involved in the incident, retrained workforce members on identifying fraudulent email communications, and implemented additional technical safeguards. As is usually the case, there is no admission of wrongdoing by Salinas in the settlement. In addition to any cash, Salinas agreed to take additional data security measures  including hiring third-party auditors to conduct regular penetration tests, maintaining firewalls and access control, providing regular training of all personnel relating to phishing and other security attacks and conducting regular computer system scanning and security checks. Read more about the terms of the settlement at Top Class Actions. Claims must be filed by August 26, 2022. The settlement website is SalinasValleyMemorialSettlement.com.    

Roundup: Four more breaches in the healthcare sector: Healthback Holdings, Zenith American Solutions, Bronx Accountable Healthcare Network, and Centerstone

On June 1, Healthback Holdings, LLC in Oklahoma discovered that they had been subject to a hacking incident that began in October 2021.  “A limited number” of  employee accounts were compromised. On July 29, Healthback notified HHS that 21,114 patients were affected. Their notice says that names, health insurance information, Social Security numbers, and clinical information was in the compromised email accounts. Zenith American Solutions claims to be the largest independent Third Party Administrator in the United States with more than 47 offices nationwide. On June 24, there was a mailing error by an unnamed vendor that resulted in Social Security numbers being included in the mailing addresses of those sent letters that day. The error was discovered on June 28. Zenith reported the incident to HHS on July 20 as impacting 37,146 individuals, but it is not clear if that was the grand total or just on behalf of certain covered entities. Their notice to Sound Health and Wellness Trust  provides more details about the types of data involved. The Bronx Accountable Healthcare Network notified HHS on July 20 about a hacking incident involving email that impacted 17,161 patients. DataBreaches could find no notice on their site, and has written to them to ask if this report might be part of the Acacia Network breach in 2020 that was first disclosed in February of this year. Centerstone is a nonprofit providing mental health, addiction recovery, residential care, therapeutic foster care, counseling, and crisis services at more than 200 locations in four states: Florida, Tennessee, Illinois, and Indiana. On February 14, they discovered a breach impacting their email environment that began in November 2021. The incident has not yet appeared on HHS’s public breach tool, but their press release indicates that the types of information of former and current clients that may have been accessed and acquired include: name, address, Social Security number, date of birth, client ID, medical diagnosis / treatment information, and/or health insurance information.

First Choice Community Healthcare discloses breach but doesn’t reveal it was a ransomware attack

First Choice Community Healthcare (FCCH) is a non-profit healthcare system in New Mexico providing a range of services to the community. In a press release issued today, they describe a security incident that they discovered on March 27, 2022.  The notice is also posted on their website. Their notice talks about how the incident “may have involved” personal and protected health information and that information “may have been accessed or acquired without authorization.”  The type of information involved included: Provider names, Social Security numbers, First Choice patient ID number, diagnosis and clinical treatment information, medications, dates of service, health insurance information, medical record number, patient account number, date of birth, and provider information. Nowhere in their notice do they forthrightly tell people that this was a ransomware attack, that some data was leaked by the ransomware team, and that they paid ransom. On April 7, DataBreaches reported the addition of FCCH to Hive’s dedicated leak site. DataBreaches inspected the internal documents and patient files that Hive disclosed as proof and then reached out to FCCH to ask them about the incident, noting that how shortly after the listing first appeared, it disappeared. FCCH never replied to the inquiries. FCCH was listed as a target on Hive’s dedicate leak site on April 7, 2022. Hive claimed to have acquired HR, financial, and patient records and claimed that they had four database tables with a total of approximately 550,000 records. The listing, which included samples of the data, was removed shortly thereafter. Weeks later, HHS issued an analyst’s report on Hive ransomware. Today, DataBreaches sent another email to FCCH asking them about whether they had been able to decrypt any encrypted files and whether they had paid ransom to Hive. No reply has been received as of the time of this publication. FCCH’s notification seems to be one more example of an unwelcome trend towards less transparency rather than more transparency. Why is the transparency important as long as people get notified, you ask? Well, for one thing, the ransomware team had information in their hands that may have included credentials that can be used to attack other victims. As Steffen Zimmermann recently told DataBreaches when discussing ransomware attacks and how ransomware teams find other victims to explore: in industry cases I have seen so far, spear phishing was the main entrance — spear phishing by reusing stolen data from other ransomware victims. More or less walking through the supply chain. In general: — Attempts to protect the entity from disclosing anything that could be used against them in possible litigation may leave patients without information that might help them assess their risk and what steps they may need to take to protect themselves, and — Attempts to protect the entity from disclosing anything that could be used against them in possible litigation may leave other entities at risk because they are not learning that their credentials may have fallen into the hands of a ransomware team who will then start using the information to compromise them. Attempts to protect the entity are selfish endeavors that fly in the face of regulations intended to notify those at risk from a breach.  What they are doing may be legal, but it is a self-serving cover-up that basically says “Screw the patients and the people whose information we failed to protect. Now we are just looking out for ourselves.” DataBreaches will continue to call out entities who fail to disclose ransomware attacks or to be more forthcoming about incidents, and hopes that others will also call  them out.  Maybe we need a #StopTheCoverUp  hashtag on Twitter? Update: Post-publication, DataBreaches received a reply email from FCCH that said, in its entirety: Patient care was not impacted. Beyond that, what we have on our site is all we are going to say at this time. Thank you. So even when asked directly, they did not admit that this was a ransomware incident and that ransom was paid. Update2: The incident has just appeared on HHS’s public breach tool as affecting 101,541 patients. It was reported to HHS on August 1, more than four months after they discovered the attack and almost four months since DataBreaches first reported the breach publicly.  

2022 Mid-Year Healthcare Data Breach Deep Dive — Protenus

Amanda Rogers writes: As we’re now midway through 2022, we thought we’d take a half-time pause to compare some data breach statistics in the healthcare space for the first half of 2022 to the first half of 2021. We’ll also provide insight on how to proactively take a stand to better protect your patients and organization. In this post, we’ll use the United States Department of Health and Human Services (HHS) public breach tool as well as data compiled by DataBreaches.net (“DataBreaches”) for Protenus. I hope you’ll all read the mid-year blog post. In one respect, though, it turns out that it doesn’t matter if you use HHS’s statistics or DataBreaches.net’s larger dataset: the number of incidents was down in the first half of 2022 compared to 2021, as was the number of records impacted. But while the percent of incidents attributable to hacking increased slightly in 2022 from 75% to 80%, the percent of incidents attributable to business associates decreased from 42% to 36%. Whether those smallish changes will be maintained by the end of they year or when more data becomes available remains to be seen. But let me use this post to take a deeper look into HHS’s breach tool when it comes to business associate reports. Unfortunately, and although Protenus gets it right, a number of other sites misreport data on business associates based on HHS’s public breach tool. The misreporting occurs if they confuse the number of incidents reported by a business associate with the number of business associate incidents. Their mistake is somewhat understandable if you understand that while HHS’s reporting form asks the reporting entity if a business associate was involved, the entity’s response does not appear on the breach tool unless you either manually expand each entry to see each entity’s response or export the database and then look at a field in the Excel sheet that asks Yes or No for Business Associate? Some sites who try to report statistics based on HHS do not seem to realize that simply counting the number of incident reports submitted by “Business Associates” significantly underestimates the number of incidents that were attributable to  business associates. Thus, for the first half of 2021, Protenus reported: 44 reports were submitted by business associates, but a deeper dive into HHS’s tool reveals that 156 of all incidents in the data set (42%) involved business associates. So one take-home message is this: the number of incidents submitted by business associates is not the same as the number of reports involving business associates.  If you want to know the latter, you will have to dig deeper into HHS’s breach tool. But even if researchers know to expand the breach tool or export it,  they immediately encounter a second issue: how to differentiate the number of reports that involved  business associates from the number of unique incidents involving business associates? Some business associate incidents may be reported, in part, by the business associate on behalf of some covered entities while other clients of the business associate may file on their own behalf.  Determining how many unique incidents there are in any time period requires the researcher to know whether each report on the breach tool is due to a business associate breach that has already been counted in any incident counter or is a new and previously unreported incident. Imagine, for  a moment, if all 650+ clients of one business associate each filed individual breach notifications with HHS. The numbers we’d get might totally distort our understanding of how many breaches involving business associates occurred that year. HHS’s public breach tool does not permit the kind of analysis researchers need because even in its expanded form or exported form, HHS’s breach tool generally does not name the business associate involved in a breach reported by a provider/covered entity. Or if the business associate is the reporting entity, HHS’s note may not name the covered entity or entities affected. We generally cannot determine from HHS’s breach tool how many reports might be related to the same business associate incident. In a more helpful world, HHS’s breach tool would enable us to look at business associate breaches in a framework that allows us to cluster associated reports. In 2022, discriminating between the number of reports involving business associates and the number of unique incidents involving business associates will remain challenging because of the number of large incidents involving business associates that we have already learned about this year. I’ll have more to say about my wish list for revising HHS’s breach tool in the future, but in the meantime, go read Protenus’s blog

BJC HealthCare settles class action litigation

In May 2020, DataBreaches noted that BJC Healthcare in Missouri was alerting patients to a data breach. The breach had first been discovered on March 6, shortly after three employee email accounts were compromised. At the time of notification, BJC Healthcare reported that investigators were unable to determine if any emails or attachments had actually been viewed. In their notice of May 27, BJC noted that the incident might affect patients at: Alton Memorial Hospital Barnes-Jewish Hospital Barnes-Jewish St. Peters Hospital Barnes-Jewish West County Hospital Christian Hospital Memorial Hospital Missouri Baptist Medical Center Missouri Baptist Sullivan Hospital Parkland Health Center Farmington Parkland Health Center Bonne Terre Progress West Hospital St. Louis Children’s Hospital The incident was reported to HHS in May 2020 as impacting 287,876 patients. In July 2021, a class action lawsuit survived a motion to dismiss. Now Top Class Actions reports that BJC Healthcare has agreed to a settlement to resolve claims. Ordinary expense reimbursement is capped at $250 per person and includes bank fees, interest, credit monitoring costs, postage, mileage and up to three hours of lost time at a rate of $20 per hour. Larger payments of $5,000 are available for extraordinary expense reimbursement, which includes documented, unreimbursed monetary losses and up to three hours of additional lost time at a rate of $20 per hour. Read more at Top Class Actions. The deadline for exclusion and objection is Aug. 16, 2022. The final approval hearing for the settlement is scheduled for Sept. 6, 2022. The official settlement site is BJCDataIncindent.com In Re BJC Healthcare Data Breach Litigation, Case No. 2022-CC09492, in the Circuit Court of the City of St. Louis State of Missouri

Treating Healthcare’s Insider Threat

Gabriel Avner writes: There’s an old joke about why bank robbers rob banks. Because that’s where the money is. Given the valuable assets under their care, banks, fintech, insurance, and other financial institutions have understood that they have to take special care to avoid data breaches and other threats. But if the past week’s steady stream of news stories regarding data exposure at hospitals is any indication, then it should be pretty clear that the healthcare industry faces its own set of serious challenges when it comes to keeping themselves secure. Read more at Security Boulevard.

Tenet Healthcare faces lawsuit after Baptist Health System data breach affects 1.2 million patients

Catherine Martin reports: A Texas man has filed a class-action lawsuit against Dallas-based Tenet Healthcare and its affiliate Baptist Health System after the companies experienced a data breach this year that affected more than a million patients. The lawsuit was filed July 5 in Dallas County on behalf of Troy Contreras, one of about 1.2 million patients affected by the breach, and alleges the companies failed to properly notify patients of the breach or take proper precautions to prevent it. It seeks more than $1 million in damages. Read more at The Dallas Morning News.

US govt warns of Maui ransomware attacks against healthcare orgs

Sergiu Gatlan reports: The FBI, CISA, and the U.S. Treasury Department issued today a joint advisory warning of North-Korean-backed threat actors using Maui ransomware in attacks against Healthcare and Public Health (HPH) organizations. Starting in May 2021, the FBI has responded to and detected multiple Maui ransomware attacks impacting HPH Sector orgs across the U.S. “North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services—including electronic health records services, diagnostics services, imaging services, and intranet services,” the federal agencies revealed. Read more at BleepingComputer.  

ATC Healthcare, Community of Hope, The People Concern disclose breaches, Advocates notifies more people of its breach

Preface: In this post, DataBreaches summarizes four more notifications involving patient data or health data that were published this past week. Three of the incidents are new disclosures and one is an update. Note that the three newly disclosed incidents all involved compromise of employee email accounts. In at least two of the three incidents, investigators could not determine which emails or data were accessed, resulting in the entities having to notify everyone who potentially had data accessed (the third incident is silent on this point). How much more does incident response cost to go through every email and attachment that perhaps did not need to be kept in the employee’s email account at that point?  Do you think there’s a take-home message in there, perhaps?  ATC  Healthcare ATC Healthcare in New York issued a press release about a breach they experienced in December 2021. Their press release is not as clear or detailed as an updated notice on their website, so it is the website notice that is the source of this summary:  On December 22, 2021, ATC discovered unusual activity involving some employee email accounts. Investigation revealed that the email accounts had been accessed without authorization at varying times between February 9, 2021 and December 22, 2021. The compromised email accounts contained the following types of information at the time of the incident: names, Social Security numbers, driver’s licenses, financial account information, usernames and passwords, passport numbers, biometric data, medical information, health insurance information, electronic/digital signatures, and employer-assigned identification numbers. As is often the case, investigators could not be sure exactly what data may have been accessed so notifications were sent to all individuals who were potentially impacted. They do not seem to be offering anyone any complimentary services and emphasize that there there is no definite evidence that any data was accessed, copied, or exfiltrated. Community of Hope D.C. (COHDC) On February 7, 2022, COHDC learned of a data security incident involving unauthorized access to an email account of one COHDC employee. The incident was reportedly discovered when the account’s authorized user identified spam messages being sent from the account. Investigation revealed that an unauthorized actor may have accessed certain files and data contained within a single Outlook 365 email account between January 27 and February 7, 2022. The information that may have been accessed for individuals included Social Security numbers, driver’s license numbers, financial information, health insurance information, and health diagnostic information. COHDC appears to have made arrangements with IDX to provide assistance and services to those affected. You can read their full notice on COHDC’s website.  The People Concern Although they do not disclose when they first discovered a problem, The People Concern (TPC) in California found that an unauthorized individual accessed employees’ email accounts on different dates between April 6, 2021 and December 9, 2021. As in other cases, the investigators were unable to determine exactly which emails or what data in the email accounts was accessed. TPC collects a variety of information on community members and employees, including: name, date of birth, Social Security number, health insurance information, and medical information regarding care the community member may have received in one of their programs. For those whose SSN or driver’s license information was potentially involved, TPC is offering services through IDX to assist them. TPC’s notification to the California Attorney General’s Office can be found here; their website notice can be found here. Advocates, Inc. On June 28, Advocates, Inc. in Massachusetts issued a press release. According to the release, on October 1, 2021, Advocates was informed that Advocates data had been copied from its digital environment by an unauthorized actor. Investigation revealed that an unknown actor gained access to and obtained data from the Advocates network between September 14, 2021 and September 18, 2021. The unauthorized individual was able to acquire personal and protected health information including:  name, address, Social Security number, date of birth, client identification number, health insurance information, and medical diagnosis or treatment information. But if you recognize their name, you may be wondering why they issued this notice on June 28. This is the same incident that had been reported to the Maine Attorney General’s Office by their external counsel on January 3, 2022 as impacting 68,236 individuals (total). It was also reported with that number to HHS on January 21, 2022. Digging deeper into their website notice reveals that the identification of additional affected individuals continued until into June. As they explain: Advocates is not aware of any evidence of the misuse of any information potentially involved in this incident.  However, beginning on January 3, 2022, Advocates mailed notice of this incident to potentially impacted individuals for which Advocates had identifiable address information. Advocates then worked diligently with experts to review the impacted data set and identify any additional potentially impacted individuals with address information. That process was completed on June 9, 2022, and on June 28, 2022, Advocates provided notice of this incident to those individuals. At some point, then, we may see an amended entry on HHS’s breach tool or to the Maine Attorney General’s Office, or both.