Threat Management, Endpoint/Device Security, Breach, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

637K UNM Health patients impacted by two-month network hack, data theft

An EMT worker cleans a gurney after transporting a suspected Covid patient outside of a Brooklyn hospital on March, 29 2021, in New York City. Incidents at several hospitals nationwide have led to breaches of patient data. (Photo by Spencer Platt/Getty Images)

The data belonging to 637,252 UNM Health patients was accessed and exfiltrated in May 2021, after a threat actor gained access to the health system’s network. The incident was not discovered until June 4, two months after the initial access began.

The breach victim tally makes the UNM Health breach about the eighth largest reported in the health care sector so far this year.

Upon discovery, an investigation was launched to determine just what information the attackers were able to access and obtain. Officials said they confirmed the impacted files contained patient names, contact details, dates of birth, medical record or patient identification numbers, health insurance information, and or some clinical data. 

The compromised data also included Social Security numbers for some patients. A systems review also determined the electronic health record (EHR) was not accessible to the threat actors. The notice does not provide any further details on the incident.

UNM Health has since provided workforce members with additional education and are working to enhance security measures.

Report shows Hive responsible for Memorial Health System attack

Over the weekend, a cyberattack on Memorial Health System drove the Ohio provider organization into EHR downtime procedures, which led to emergency care diversion and the cancellation of urgent surgeries. Although officials said there was no evidence patient data was affected by the incident, the Hive ransomware group has since claimed the attack.

As Coveware data has repeatedly shown, hackers are increasingly spending long periods of dwell-time on victims’ networks prior to deploying ransomware. During that time, the actors will typically move across the network through connected systems or devices and gather sensitive data.

A BleepingComputer report shows Hive has followed this threat tactic, stealing datasets that contain health information belonging to about 200,000 MHS patients.

The data theft has not yet been confirmed by MHS, and the MHS website has not been updated on the recovery efforts. This piece will be updated if more information becomes available.

St. Joseph’s/Candler hacked 6 months before ransomware deployment

The threat actors behind the ransomware attack on St. Joseph’s/Candler (SJ/C) in June 2021, first gained access to the network six months before the encrypting malware was deployed, according to a recent breach notice.

The June attack led to several weeks of EHR downtime procedures, including the use of pen and paper records and disruptions to some oncology care. Previous recovery plans and training enabled the care team to maintain most all patient care processes, with limited delays.

The August notice shows that the law enforcement and internal investigation found the attackers had access to the network from Dec. 18, 2020, and June 17, 2021 — when the ransomware attack was launched. Officials said they could not rule out access to patient files, and there’s no mention of any data exfiltration.

The potentially compromised information varied by patient and could include names, contact information, SSNs, driver’s licenses, health insurance plan member IDs, dates of service, patient account numbers, provider names, medical record numbers, and health and medical data tied to the care received at SJ/C.

SJ/C is working to improve its safeguards and technical security measures to prevent a recurrence. The breach has been reported to the Department of Health and Human Services as impacting 1.4 million patients.

Electromed reports systems hack, 47K patients impacted

Third-party vendor and device manufacturer Electromed recently notified 47,000 patients that their data was potentially compromised after a systems hack earlier this year.

On June 16, Electromed discovered a threat actor gained access to some files and promptly launched an investigation to determine the scope of the incident. Officials said they also partnered with an outside cybersecurity team and contacted law enforcement.

The investigation revealed the attacker accessed the system and files tied to patients, customers, employees, and some third-party contractors, which included protected health information. The PHI involved full names, contact information, medical data, and health insurance details.

For impacted associates, SSNs, driver’s licenses, and financial data was also compromised. All impacted individuals will receive free credit monitoring and identity theft protection services.

Electromed has since taken steps to bolster its systems security, while working to improve workforce security training and review security protocols and processes.

Another provider added to major CaptureRx data breach

About 17,000 patients of New York-based Catholic Health Systems have been added to the ongoing CaptureRx breach tally, brought on by a February ransomware attack that has compromised the data of more than 1.7 million patients from a long list of health care providers. CaptureRx is a business associate that provides third-party pharmaceutical software. 

The CaptureRx incident is the fourth largest health care data breach in 2021, so far. Threat actors accessed and exfiltrated data tied to health care clients, which were stored in CaptureRx systems. The stolen data included names, dates of birth, and prescription details.

Catholic Health confirmed that no financial data, SSNs, or demographic details were contained in the stolen data. The Department of Health and Human Services breach reporting tool shows two separate incident reports, one with 10,464 impacted patients and one tied to 6,538 patients.

University Medical Center of Southern Nevada confirms data breach

In mid-June, a cyberattack struck the University Medical Center of Southern Nevada. One month later, the REvil hacking group claimed responsibility for the attack and leaked information that it claimed to have exfiltrated from the network prior to the malware deployment.

A recent update from UMC confirms the data breach and sheds light on the attack. The hack was first discovered on June 14 and contained within 24 hours by the IT team, which quickly worked to secure the network and reduce any possible care disruptions.

The attack did not impact any clinical systems, including the EHR. Instead, the hackers were able to access network servers that contained some patient files, including SSNs, demographic details, clinical data, diagnoses, insurance numbers, and other financial and personal information. 

Since the attack, UMC has been working with the FBI and the Las Vegas Metropolitan Police Department. The provider is now working on multiple security initiatives, including updates to both internal and external security safeguards.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.