Four more attacks on the healthcare sector, weekend edition
UPDATE of Feb. 10, 2023: Regal Medical Group notified HHS that their incident impacted 3,300,638 patients.
It may be the weekend, but there’s no rest for the weary when it comes to tracking attacks on the healthcare sector. Here are four more incidents you may not have heard about already:
Cardiovascular Associates (“CVA”) is notifying some of their patients seen at their Alabama locations about a hacking incident discovered on December 5, 2022. Their investigation determined that an unauthorized third party was able to both access and exfiltrate some data from the network between November 28, 2022 and December 5, 2022. CVA’s notification is totally silent on whether this incident involved any ransomware or ransom demand(s).
The personal information involved in this incident may have included one or more of the following elements:
- demographic information to identify and contact the patient, such as full name, date of birth, and address;
- Social Security number;
- health insurance information, such as name of insurer/government payor and member ID, policy and/or group number;
- medical and treatment information, such as medical record number, dates of service, provider and facility names, other visit, procedure and diagnosis information, and possibly assessments, tests and imaging;
- billing and claims information, such as account and/or claim status, billing and diagnostic codes, and payor information;
- passport and driver’s license number;
- credit and debit card information; and
- financial account information.
CVA notes that not all data elements were involved for all individuals.
You can read their notification to the California Attorney General’s Office and a companion FAQ about the incident. The incident is not yet up on HHS’s public breach tool so we do not know the number of patients affected.
Regal Medical Group
Regal Medical Group, Lakeside Medical Organization, ADOC Medical Group, and Greater Covina Medical (collectively, “Regal”) have been notifying patients about a breach that resulted from a ransomware attack.
In their notification of February 1, Regal writes that they first became aware of the December 1 breach on December 8, 2022. On December 2, they noticed difficulty accessing some servers and discovered malware on some servers. That malware resulted in access to and exfiltration of some data.
Personal information that may have been affected included
name, social security number (for certain, but not all, potentially impacted individuals), date of birth,
address, diagnosis and treatment, laboratory test results, prescription data, radiology reports, health plan member number, and phone number.
Regal’s notification to the California Attorney General’s Office does not identify the type of ransomware, whether they received a ransom demand, and whether they paid ransom, but as of publication, none of the Regal Group entities have shown up on any dark web leak site operated by various ransomware gangs.
The incident has not yet been posted to HHS’s public breach tool, so we do not yet know the total number of patients affected.
Southeast Colorado Hospital District
On December 6, Southeast Colorado Hospital District (“SECHD”) became aware of suspicious activity involving the email account of one SECHD employee. An investigation determined that an unauthorized third party had gained access to the email account at various times between November 23 and December 5.
Review of the employee’s email account revealed some individuals’ personal information that may have included:
name, Social Security number, driver’s license number, date of birth, medical treatment or diagnosis information, and/or health insurance information.
Written letters were mailed to those affected on February 3. You can read a copy of their notification on their website.
SECHD also submitted a notification to the Montana Attorney General’s Office, but it seems that through a clerical error, that office uploaded the wrong notification.
This incident does not appear on HHS’s breach tool at time of publication. Whether it will appear or not may depend on whether that email account had information on more than 500 patients.
Jackson & Joyce Family Dentistry
Of the four incidents in this post, the Jackson & Joyce Family Dentistry is the only one for which we do not have any notification or even acknowledgment from the entity.
The Ocala, Florida dental practice was added to LockBit 3.0’s leak site on February 3 with several screenshots as proof of claims. Finding no notice on the dental group’s website or social media account, DataBreaches sent an email inquiry about the claimed attack. There has been no reply. Although the screenshots appear convincing, this incident is treated as unconfirmed at this point.