Breach, Ransomware, Supply chain

Breach notice confirms One Brooklyn Health cyberattack, outage in November

A medic takes vital signs from a donor during a blood drive.
The New York State Department of Health confirmed to SC Media that a One Brooklyn Health network outage in November was a cyberattack. (Army National Guard)

One Brooklyn Health issued a breach notice, shining a light on the reported network outages faced by the New York provider in November and December.

OBH had kept relatively quiet amid local media outlets’ coverage of patients experiencing care delays because of the breach. As SC Media previously reported, its hospitals were forced offline due to an unexplained IT issue in November, with providers operating under electronic health record downtime and leveraging paper processes to maintain patient care.

The New York State Department of Health confirmed to SC Media that it was aware of the incident and was working with OBH to prioritize patient safety. However, the health system provided scant details on the outage or the attack, much to the frustration of patients.

The notice confirms the “cybersecurity incident” struck Nov. 19 and affected three OBH hospitals and affiliated care sites: Brookdale Hospital Medical Center, Interfaith Medical Center, and Kingsbrook Jewish Medical Center. These safety net hospitals serve approximately 1 million under-resourced patients in the Brooklyn's Flatbush neighborhood.

The incident impacted all computer systems and temporarily disrupted certain operating procedures. While the description of the incident points to ransomware, officials did not confirm the cause behind the attack.

OBH proactively took systems offline in the wake of the attack and engaged with an outside specialist to determine the nature of the attack. The forensics revealed that access to OBH systems began more than four months before the attack was deployed, enabling the threat actor to “copy a limited amount of data” from the network.

The investigation team is still reviewing the contents of the compromised data to determine just what protected health information or personal data was contained in the affected files. The initial assessment has confirmed some patient information was part of the exfiltrated data.

OBH has confirmed patient names, dates of birth, billing and claims data, treatment details, medical record numbers, prescriptions, and health insurance information was compromised.

Law enforcement has been contacted, and health system leaders are continuing to cooperate with their ongoing, independent investigation. OBH is currently reviewing its existing data protection policies and training protocols, after implementing enhanced security measures and monitoring tools.

NextGen added to ALPHV dark web posting

Earlier last week, the actors behind BlackCat, aka ALPHV, ransomware published a new post on its dark website claiming to have stolen a trove of data from NextGen Healthcare. NextGen issues healthcare IT platforms, EHR, practice management tools for ambulatory care providers.

The posting appeared Jan. 17 with a number of other alleged victims outside of the health sector. In a comment sent to SC Media, a NextGen Healthcare spokesperson confirmed that they’re “aware of this claim” and “have been working with leading cybersecurity experts to investigate and remediate.” 

“We immediately contained the threat, secured our network, and have returned to normal operations,” the spokesperson explained. The forensic “review is ongoing and, to date, we have not uncovered any evidence of access to or exfiltration of client or patient data. The privacy and security of our clients and their patient information is of the utmost importance to us.”

The Department of Health and Human Services recently issued an alert on the threat of Black Cat to the sector in December, issuing a near-identical warning earlier this month. The “exceptionally capable” group is likely operated by significantly experienced threat actors.

HHS Cybersecurity Coordination Center warned ALPHV is “one of the most sophisticated Ransomware-as-a-service (RaaS) operations in the global cybercriminal ecosystem,” as a human-operated variant. BlackCat should concern all provider organizations as its abilities are technically superior to other RaaS variants, with a wider range of corporate environments.

BayCare Clinic reports breach tied to use of Pixel tracking tool

BayCare Clinic is notifying 134,000 of its patients that their data was compromised due to the use of Google and Meta Pixel tracking tools on its MyCareBay patient portal. BayCare Clinic is the largest physician-owned specialty-care clinic in northeastern Wisconsin and Michigan’s Upper Peninsula and is part of Advocate Aurora Health.

The notice posted on its website directs patients to the pixel notification previously posted on the Advocate Aurora website. However, both the patient notice and FAQ page posted on the parent company’s site have since been taken down.

As SC Media reported, Advocate Aurora previously informed patients that their protected health information was shared with third-party vendors, like Google and Facebook, as a result of the use of Pixel tracking tools on its patient portal websites, applications, and some scheduling tools.

The health system previously used the tracking technologies “to understand how patients and others interact with our websites,” by measuring and evaluating trends and preferences of patients using their websites.

However, Advocate Aurora found that the tools disclosed details about patients’ website interactions with third-party vendors, particularly users “concurrently logged into their Google or Facebook accounts and have shared their identity and other surfing habits with these companies,” officials explained at the time.

Their investigation also revealed the pixels and similar tech used on its websites also disclosed certain protected health information to specific vendors in “particular circumstances.” Given its affiliation to Advocate Aurora and the redirection to the previously posted breach notice, BayCare Clinic patients likely saw the same disclosures.

Advocate Aurora disabled and/or removed pixels from its platforms after discovering the unauthorized disclosure and is currently defending itself from a patient-led lawsuit filed in the wake of its breach notice and multiple reports that alleged the Meta Pixel tool was scraping hospital data without patient consent

Facebook, Novant Health and WakeMed are also fighting similar lawsuits, filed after the providers issued similar notices to patients.

Insulet’s OmniPod users of third-party exposure

Using similar language to provider organizations impacted by Pixel use, Insulet recently informed 29,000 Omnipod medical device users that their data was exposed to “website performance and marketing partners” due to a misconfiguration in its email receipt verification.

The notice explains that Omnipod DASH patients were sent a Medical Device Correction letter, with an emailed follow-up receipt acknowledgement request. The configuration of the webpages used for this verification “exposed some limited personal information” about patients to the outside parties, through the use of cookies and “other trackers” embedded in the Omnipod site.

The URL page customized to each user included their IP addresses, whether the individual was a DASH user, and if the patient has a Personal Diabetes Manager. All of this information was inadvertently shared with Insulet’s website performance and marketing partners.

Upon discovering the misconfiguration on Dec. 6, Insulet disabled all tracking codes used on its site to prevent further exposure of protected health information. Insulet has also requested that the partners that received this information delete logs of the IP addresses and unique URLs to block their access to this personal information.

Arkansas hospital reports ongoing investigation of data exfiltration

Howard Memorial Hospital in Arkansas recently began notifying an undisclosed number of patients that it's currently investigating a data security event, after a threat actor claimed to have stolen a trove of data from its network on Dec. 4.

HMH detected suspicious activity within its computer network in early December, just as the actors levied their allegations. The response team quickly worked to secure its network and launched an investigation with support from an outside cybersecurity firm, while “safely maintaining full operational functionality” to continue treating patients.

The investigation is ongoing, but HMH has since confirmed the threat actors indeed stole “certain files” from the network between Nov. 14 and Dec. 4.

For now, HMH has confirmed the potentially stolen data could include names, contact details, SSNs, health insurance information, medical record numbers, medical histories, diagnoses, treatments, and provider names. For employees, the data could include names, contact details, SSNs, dates of birth, and direct deposit bank account information.

The response team is still reviewing the “at-risk files in order to identify those current and former patients, and any current and former employees, whose information may have been impacted by this event.” HMH intends to issue a follow-up notice directly to those impacted patients, once they’ve confirmed the impact.

The prompt notice will enable patients to quickly respond to potential identity and fraud attempts, while allowing HMH to adhere to the 60-day reporting requirement outlined in The Health Insurance Portability and Accountability Act.

HMH is currently evaluating its existing policies and procedures and intends to implement additional administrative and technical safeguards to prevent a recurrence.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.