Breach, Incident Response

68K affected by data theft, ‘sophisticated’ network hack of health nonprofit Advocates

An October 2021 cyberattack on Norwood Clinic in Alabama was reported to HHS as impacting 228,103 patients. (Photo by Alex Wong/Getty Images)

Approximately 68,000 individuals who’ve received services from Advocates are being notified that their personal and protected health information was stolen during a four-day hack in September 2021. Advocates also provided notice to certain employees, whose data was exfiltrated during the hacking incident.

Advocates is a nonprofit organization based in Massachusetts that provides a range of services for individuals requiring support with addiction, autism, brain injury, mental health, addiction, and other health conditions.

First discovered on Oct. 1, the nonprofit was notified that its data had been exfiltrated from its digital environment by a threat actor. Advocates took action to secure the system and engaged with an outside cybersecurity firm to investigate the scope of the incident.

The investigation found that a hacker gained access to the network between Sept. 14 and Sept. 18, 2021 through a “sophisticated cyberattack” on its network. During that time, the attacker gained access to and copied data tied to both current and former individuals served by Advocates.

The stolen data included names, contacts, Social Security numbers, dates of birth, client identification numbers, health insurance information, diagnoses, and treatments.

Advocates is cooperating with the ongoing FBI investigation, while taking steps to bolster its security to prevent a recurrence. All impacted individuals will receive free credit monitoring and identity theft protection services.

St. Lucie County reports 4-year hack of drug screening lab

Over the course of four years, a misconfiguration error in the St. Lucie County’s Drug Screening Lab’s web portal allowed for certain data to be accessible by unauthorized parties. The breach is not yet listed on the HHS reporting tool, so it’s not yet known how many individuals have been affected.

“After an extensive forensic investigation and thorough review of the data impacted,” SLC discovered the unauthorized access to the portal data on Dec. 28. The exposure occurred between June 2, 2017 and Oct. 13, 2021. It’s unclear when or how the issue was first detected.

“SLC Lab devoted considerable time and effort to determine what information may have been accessible to unauthorized users,” later confirming the compromised data could include one or more data for each impacted individual.

The information could include SSNs, dates of birth, and limited information tied to the type and result of lab tests. SLC is offering all impacted individuals free credit monitoring 

Medical Healthcare Solutions reports data theft, network hack

Portland, Oregon-based Medical Healthcare Solutions recently began notifying an undisclosed number of patients that their data was stolen during a network hack in October. The breach has not yet been listed on the Department of Health and Human Services breach reporting tool.

MHS is a medical billing, electronic health records, and practice management vendor. On Nov. 19, MHS discovered its systems had been hacked for several days between Oct. 1 and Oct. 4, where the attacker removed certain files from the network. The network was immediately locked down. 

MHS launched an investigation, which determined the stolen information varied by patient across a range of covered entities for which MHS provides services. The impacted providers include Harvard Medical Faculty Physicians at Beth Israel Deaconess Medical Center and Associated Physicians of Harvard Medical Faculty Physicians at Beth Israel Deaconess Medical Center.

The data could include names, dates of birth, contact details, SSNs, financial and credit card information, procedures, provider names, prescriptions, dates of services, diagnosis codes, claims data, patient account numbers, and other highly sensitive information.

MHS has since stabilized the network and implemented additional tools to bolster its security.

Employee fired, indicted after stealing data of 41K patients

An employee of South Georgia Medical Center was fired and recently indicted after taking a USB drive containing the data belonging to 41,692 patients from the hospital premises for personal use. 

SGMC supports public healthcare “for the benefit of the Hospital Authority of Valdosta and Lowndes County Georgia, which is the covered entity listed on the HHS reporting site.

On Nov. 12, an SGMC employee removed the electronic patient data without authorization, which was detected by monitoring software employed by the hospital that allowed for swift detection of the unauthorized disclosure. The data was quickly recovered, and there’s been no evidence the data has been misused.

Local news outlets shed further light on the incident and subsequent indictment. The employee left employment with SGMC the day before the software alert found an unauthorized download of patient data onto a USB.

The data was limited to patient names, dates of birth, and test results. SSNs, medical records, and financial data were not included in the stolen data. Officials say the files had not been erased from the hospital’s network. Further, the employee had legitimate access to the files.

However, the employee has since been charged with felony computer theft and invasion of privacy. The investigation has not determined the motive behind the incident. SGMC is retraining employees and limiting the use of USBs.

Update shows Maryland Health Department still not fully recovered

A Jan. 27 update shows the Maryland Departments of Health and Information Technology is still continuing its recovery efforts and investigation into what has since been confirmed as a ransomware attack. Other county health departments, including Garrett County and Wicomico County, have been experiencing disruptions to its services due to the attack.

The initial cyberattack and network outages began nearly two months ago on Dec. 4, which was identified on an improperly functioning server. The virus was quickly contained, but the outages impacted the COVID-19 reporting features for several weeks, where staff had to manually report new cases. The reporting tool has since been restored.

The latest update does not provide many new details, but confirms the health department is still trying to bring systems back online as it works with law enforcement on the investigation. There has still been no evidence of data compromise.

The near-two month outage is one of the largest reported in the U.S. health sector. The Ireland Health Service Executive faced a similar attack in the summer of 2021, and its network outage lasted well over two months. The cost of the recovery and lost services reached well over $600 million.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.