The impact from the Eye Care Leaders ransomware attack continues to expand, with five more covered entities reporting impacts to patient data in the last week.
About 175,000 Spectrum Eye Physicians, 33,000 patients of Chesapeake Eye Center, and 9,000 Orangeburg Eye Center patients were added to the breach tally, as well as a currently unknown number of patients from two Oregon providers Stokes Regional Eye Centers and Sharper Vision.
In total, over 2.2 million patients have been tied to the ECL incident, making it the largest healthcare data breach so far this year. ECL has also been accused of concealing multiple ransomware attacks and related network outages earlier in 2021, unrelated to the wave of breach notices.
As previously reported, a threat actor gained access to the ECL electronic medical record (EMR) platform and certain client data in early December. Sharper Vision’s notice shed further details on the incident, including that the cyberattack caused EMR downtime for at least a week for some providers.
The Stokes Regional Eye notification added that it “received no additional information regarding this outage until March 1, 2022.”
During the hack, the actor deleted several databases containing patient data and system configuration files. ECL’s investigation couldn’t conclusively rule out access or theft of protected health information, which could include contact details, dates of birth, Social Security numbers, treatments, and diagnoses. For some clients, financial information and other data was impacted.
Chesapeake Eye’s notice explained ECL “restored the ability to utilize patient information,” to maintain patient care. Its independent investigation revealed that prior to the incident, ECL employed layers of encryption for its data but it failed to “encrypt the patient information itself.”
ECL has “assured” the provider that all patient information would be encrypted moving forward. The notice shows that “however, Chesapeake Eye is considering terminating this vendor relationship.”
Much like several other impacted providers, the incident has led Spectrum to terminate its EMR contract with ECL and intends to transfer its PHI to another vendor. Spectrum is also working with its “legal counsel to determine what, if any recourse, we have concerning this breach.”
1.2M Baptist Medical patients notified of health data theft
Baptist Medical Center and Resolute Health Hospital in San Antonio Texas recently notified 1.2 million patients that their protected health data was likely stolen during a systems hack in March.
The security team discovered the systems’ intrusion on April 20, after finding malicious code had been installed on certain systems within the network. In response, the team immediately suspended user access to the affected IT applications and launched protection protocols.
The subsequent investigation determined the threat actors first gained access several weeks before it was discovered on March 31 and used their access to remove data containing patient information from the network. The forensic analysis is ongoing.
The compromised data varied by patient and could include demographic details, contact information, SSNs, health insurance details, medical record numbers, dates of service, diagnoses, treatments, reason for visit, facility name, claims data, billing and diagnostics codes, and other sensitive information.
The investigation confirmed that no driver’s licenses, credit and debit card information, bank account details, and account passwords were not involved. The provider has since enhanced its monitoring capabilities, while bolstering its systems security.
Yale New Haven Hospital reports breach after user error
A Yale New Haven Hospital employee inadvertently posted a file created for research purposes onto a public-facing website, which exposed the data of 19,496. The notice shows the investigation found the data may have been accessed “by a small number of people.”
The file was first uploaded on Dec. 16, 2021, but wasn’t discovered until four months later on April 18. Upon discovery, YNHH immediately ensured the website and content were no longer accessible or searchable through the internet. A third-party forensic firm was brought on to assist the investigation.
The review confirmed the incident was caused by “human error, was inadvertent in nature, and not due to intentional or malicious actions.” The exposed data included patient names, contact details, ages, preferred language, medical record numbers,procedures, and dates and locations of service. SSNs and financial information were not included in the file.
The hospital has since reviewed the security permissions across all of its internet-facing systems and will retrain employees around safeguarding health information. YNHH is also working to enhance its existing technical safeguards.
It’s the second security incident reported by YNHH in the last year. The Connecticut hospital was affected by the cyberattack on oncology and radiology system provider Elekta in early 2021. More than 40 health systems reported experiencing network issues from the attack, which was confined to U.S. cloud customers. Only some saw patient data compromised.
Additional providers added to MCG Health breach tally
At least eight healthcare covered entities, including Phelps Health and UNC Lenoir Health, have now been listed among those impacted by the “data security issue” reported by MCG Health, a business associate that provides care guidelines to covered entities and health plans.
The Department of Health and Human Services breach reporting tool 793,283 patients were affected by the data theft. However, state reported sites show varying totals, including a report with Maine for over 1 million patients. Given the ongoing investigations, the breach tally may continue to grow into the foreseeable future.
As shown in earlier reporting, the MCG notice is scant on details but shows a threat actor stole personal and protected patient data during a likely hack of the vendor. The investigation did not determine until March 25 that the data theft occurred. MCG provided no further insights into how the data was obtained, nor whether it was caused by ransomware or another type of hack.
The UNC-Lenoir notice sheds further light on the incident: a threat actor contacted MCG in December 2021 and again in January 2022, claiming to have stolen patient data from the vendor. The actor attempted to extort MCG in exchange for the return of the stolen information.
In response, MCG launched an investigation and contacted the FBI. Lenoir was not notified of the incident until April 24.
Forensic investigators confirmed records tied to 10 patients were listed by the hacker on the dark web, and it’s believed the data came from MCG. No Lenoir patient files were posted for sale, but MCG determined the attacker “may be in possession of Lenoir information.” The actor has not directly contacted Lenoir.
The forensic analysis found the stolen data varied by patient and could involve SSNs, medical codes, dates of birth, and contact information. The Phelps Health notice shows email addresses and gender details were stolen, as well. The provider is continuing to monitoring MCG’s efforts and its ongoing relationship to ensure the security of patient data.The Lenoir notice confirms MCG hasn’t discovered how the attacker acquired Lenoir data. MCG has since deployed additional monitoring tools and is working to improve its security.