Ransomware, Supply chain

Additional 15K added to Eye Care Leaders’ already record-setting breach tally

An ophthalmologist performs surgery on a patient
An Air Force ophthalmologist performs surgery on a patient on Sept. 1, 2022. (Army)

Another 15,000 patients have been added to the breach tally of the Eye Care Leaders ransomware attack from nearly one year ago.

Massengale Eye Care issued a breach notice to patients in late October, informing them that their data was also compromised during what remains the largest incident reported in healthcare this year at nearly 3.7 million impacted patients.

While mainstream media outlets have recently warned that the CommonSpirit Health cyberattack could impact 20 million patients, the massive health system’s financial report from this week again stated that they are still investigating and have not found evidence of patient data impacts. As such, ECL still holds the dubious top position.

As reported, ECL’s EMR was hit with a ransomware attack on Dec. 4, after a threat actor accessed the platform and deleted databases and system configuration files. Without the data, it was not possible to identify whether the data was accessed or exfiltrated before it was deleted.

The compromised data varied by provider and patient, and for Massengale the data could include names, contact information, dates of birth, Social Security numbers, diagnostic details, and health insurance information.

ECL has not issued its own breach notice with the Department of Health and Human Services, as it defends itself against a provider-led lawsuit accusing the cloud EMR vendor of concealing additional ransomware incidents deployed earlier this year.

A number of providers affected by those alleged incidents spoke exclusively with SC Media, detailing their frustration over the stonewalling. The lawsuit status was last updated in October, with at least 13 filings to extend the time to respond to the claims and two more filings requesting the case be dismissed. In these filings, ECL has repeatedly denied these claims.

CorrectCare security incident swells to 607K impacted individuals

Two more healthcare entities have filed breach notices with HHS, after their medical claims processing vendor CorrectCare informed them that their patient information was exposed due to two misconfigured file databases in July.

CorrectCare Integrated Health filed three notices with HHS Office for Civil Rights as impacting 496,589 individuals, while its clients PrimeCare Medical and Mediko sent notices to 22,254 patients and 2,809 individuals, respectively.

Combined with the 85,466 pretrial and inmates of the Louisiana Department of Public Safety and Corrections, the breach tally has now reached 607,118.

As previously reported, the notices stem from a security incident first detected by CorrectCare on July 6. Two file directories on CorrectCare’s web server were inadvertently exposed to the public internet and secured within nine hours.

The subsequent forensic investigation determined the exposed database contained data from patients who’d received care at the impacted providers, from as far back as Jan. 1, 2012. The data included names, SSNs, dates of birth, inmate numbers, diagnosis codes or CPT codes, provider names, and dates of treatment.

The file directories did not contain any driver’s license numbers, financial account details or financial card information. CorrectCare has since implemented security enhancements on its systems.

Work Health Solutions reports email hack affecting PHI

Occupational health service provider Work Health Solutions recently informed an undisclosed number of patients that their data was exposed during an email hack more than six months ago.

The notice does not explain when the unauthorized account access occurred, only that a single email account was hacked for over a month between Feb. 16 and March 24 of this year. The investigation confirmed patient data was contained in the accounts on Oct. 11.

As extensively reported by SC Media, many email-related security incidents are reported far outside of the Health Insurance Portability and Accountability Act’s 60-day requirement, due to the forensic challenges. HHS recently reminded the sector that timely reporting is required by HIPAA regardless of whether an investigation is ongoing.

For WHS, the forensics determined the account contained patient names, SSNs, driver’s license numbers, health insurance details, and/or medical information. Not all patients were affected by the incident. Patients whose SSNs were compromised will receive free credit monitoring services.

Phishing attack impacts 18K Gateway Ambulatory Surgery patients

A little more than 18,000 patients tied to Gateway Ambulatory Surgery Center in North Carolina were recently notified that their data was compromised during a phishing attack earlier this year.

The carefully written notice explains that access to two employee email accounts was first discovered in April, which prompted a lengthy investigation that did not conclude until September. It’s unclear why the provider waited yet another two months to inform patients of the privacy breach.

The analysis confirmed the access was brought on by a phishing incident, which led to a three-month period of unauthorized access to these accounts between Feb. 14 and May 10 — one month after the initial access was discovered.

Access to the emails and the attachments can’t be ruled out, prompting a comprehensive search of the email contents to identify the impacted patient information. Gateway confirmed the data could include health benefit enrollment data, health insurance details, medical histories, patient account numbers, and dates of service. A small set of SSNs and driver’s licenses were also exposed.

Gateway is currently working to enhance its security measures by implementing a new endpoint detection and response system and providing employees with additional training.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.