Ransomware, Incident Response, Breach

134K Common Ground plan members added to vendor’s ransomware fallout

A radiologist consults on an X-ray.
Nearly 134,000 plan members of the Common Ground Healthcare Cooperative were informed their data was likely accessed during an April ransomware attack on mailing vendor OneTouchPoint. (Navy)

Common Ground Healthcare Cooperative recently informed 133,714 plan members that their data was likely accessed during a hacking incident and subsequent ransomware attack of its mailing vendor, OneTouchPoint.

OTP previously issued a notice on behalf of 30 health plans as impacting 1.07 million individuals. The patients from CGHC and the separate notice from Aetna ACE in Connecticut for 326,278 members brings the total OTP breach tally to over 1.53 million affected individuals.

As previously reported, the investigation into the April 28 ransomware attack on OTP found that the threat actor gained access to its systems the day before deploying the malware. But the vendor could not determine what, if any, files the attacker accessed during the dwell time.

The hacked servers contained information that varied by patient and could include member names, IDs, dates of birth, contact information, diagnosis codes, description of services and personal information provided during health assessments. For one covered entity, Social Security numbers were included.

OTP has since reported the incident to regulators and law enforcement and is taking steps to bolster its security safeguards, policies, and procedures.

19K Valley Baptist Medical patients added to Conifer breach tally

Earlier this month, Conifer Revenue Cycle Solutions began notifying patients tied to six hospitals that a hack of its email system possibly gave the actor access to the personal data contained in the accounts. About 19,000 patients with ties to Valley Baptist Medical Center in Harlingen and Brownsville, Texas, have since been added to the overall breach tally.

The impacted hospitals also include Resolute Health Hospital, Baptist Health System in San Antonio, and Brookwood Baptist Medical Center.

Conifer detected an unauthorized actor had accessed its Microsoft Office 365-hosted business email account on April 14. The investigation led with support from a third-party security firm revealed that the attacker accessed the account nearly four months before it was discovered. 

The impacted email account was separate from Conifer’s internal network and systems, and thus, unaffected by the incident.

For Conifer clients, the compromised data varied by patient and could include names, dates of birth, SSNs, driver’s licenses, financial account details, health insurance information, diagnoses, treatments, prescriptions, billing, and claims data, among other sensitive information. The investigation could not conclusively determine whether the data was actually accessed.

For Valley Baptist Medical Center, the impacted patient data was confined to demographic details, health insurance details, medical record numbers, patient account numbers, dates of service, provider and facility names, medications, procedure details and diagnoses.

The Conifer notice was sent approximately one month past the 60-day requirement outlined in the Health Insurance Portability and Accountability Act. Conifer’s notice appears to suggest the delay was caused by its review to determine the source of patient information.

Since discovering the intrusion, Conifer took defensive measures to address the security risk behind the hack, reset the email account password, and enhanced its security controls and monitoring practices. The vendor also “accelerated its implementation of multi-factor authentication for business email accounts within the environment.”

EmergeOrtho reports ransomware attack led to data access for 75K

The data of 75,200 patients tied to EmergeOrtho in North Carolina was accessed during a “sophisticated” ransomware attack deployed on May 18. The notice shows the delayed notification was tied to the lengthy investigation.

Upon discovery, EmergeOrtho initiated its disaster recovery response and retained an outside forensic investigation firm, which supported the investigation and confirmed the network security. The provider is coordinating with the FBI.

The forensic analysis confirmed certain patient data was accessed during the incident. Notably, it appears a limited amount of information was involved in the hack: just patient names, dates of birth, addresses, and SSNs. No medical records, treatment information, financial account details, or payment card data were compromised.

Emerge Ortho has since implemented additional monitoring tools and is working to further enhance its systems security. All impacted patients will receive a year of free credit monitoring services.

Ransomware attack on Baton Rouge General leads to data access

During the first week of July, a ransomware attack reportedly struck Baton Rouge General Hospital and spurred electronic health record downtime procedures. Local news outlets confirmed that clinicians were leveraging paper processes during the network outage.

A recent breach notice released by the hospital shows the security is still immersed in its investigation, attempting to determine the impact to protected health information. So far, the team has determined the attacker had access to its network for five days, before deploying the ransomware payload.

The cyberattack struck on June 28, prompting the shutdown of certain computer systems. Third-party forensic specialists and law enforcement have been assisting the hospital with the response.

The response team is continuing to review the contents of the impacted directories to determine the precise data impact and the patients affected by the incident. Once the review is completed, hospital officials explained they intend to notify the specific individuals via mail notifications.

Northeast Rehabilitation updates November 2021 notice for 190K

New Hampshire-based Northeast Rehabilitation Hospital Network recently updated its November 2021 breach notice surrounding a systems hack first discovered on Sept. 30, 2021, to include 190,220 impacted patients.

NRHN notified the Department of Health and Human Services of the incident within 60 days of the incident as impacting 501 patients with the intention of updating the notice once the investigation concluded, enabling patients to take preemptive privacy actions.

The notice reveals its investigation confirmed a threat actor accessed certain systems for about one week, until Oct. 5, 2021. During the dwell time, the attacker accessed some of the data stored on the impacted servers.

The “comprehensive and time-intensive review of all involved files” completed on Aug. 3, which confirmed the data was likely accessed and included names, contacts, dates of birth, SSNs, driver’s licenses, and financial account information.

NRHN has since implemented further safeguards and technical measures to bolster systems security, while enhancing its existing data privacy policies and procedures.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.