Breach, Ransomware, Incident Response

Behavioral Health Group informs 198K patients of data theft from December

An Air Force pharmacy technician verifies prescriptions at MacDill Air Force Base. (Air Force)
Nearly 200,000 Behavioral Health Group patients were notified that their data was stolen in a December 2001 cyberattack. (Air Force)

Behavioral Health Group recently began notifying 197,507 patients that their data was stolen more than eight months ago during a cyberattack. However, the BHG notice confirms December 2021 reports that the opioid treatment provider first learned of the extortion effort during that time.

BleepingComputer was the first to report that BHG and its 80 clinics suffered a week of IT outages that disrupted patient care after a cyberattack forced the team to shut down portions of the network to prevent the further spread.

The attack caused delays for patient medications, as the computer tasked with printing prescriptions was offline. At the time, the specific type of attack was unknown.

But the BHG notice confirmed the December incident enabled the attackers to remove certain files and folders from portions of the network ahead of the attack on Dec. 5, 2021. The investigation concluded six months later that patient data was contained in those files. It’s unclear why BHG did not adhere to the 60-day reporting requirement outlined in HIPAA.

The stolen data varied by patient and could include patient names, Social Security numbers, driver’s licenses, passports, biometrics, health insurance information, diagnoses, treatments, prescriptions, dates of service, and medical record numbers. Only patients whose SSNs were compromised will receive free credit monitoring.

BHG has since bolstered its IT network and added further security improvements, including resetting account passwords, strengthening password requirements, adding multi-factor authentication to its network, upgrading its endpoint detection software, implementing a third-party security monitoring solution, and training employees on threat detection and security.

102K First Choice Community Health patients notified of PHI theft

A group of 101,541 patients tied to First Choice Community Healthcare in New Mexico have been informed that their personal and protected health information was accessed and/or stolen during a “security event” first discovered on March 27.

The notice does not detail when the attack was first discovered, the specific threat behind the incident, nor the three-month delay in reporting the incident to patients. What’s known is that upon discovering an intrusion in its technological environment, First Choice contracted with an outside cybersecurity firm to support the subsequent investigation.

The forensic review concluded in June, finding that the stolen data could include patient names, SSNs, patient IT numbers, diagnoses, treatments, prescriptions, dates of service, health insurance information, medical record and patient account numbers, dates of birth, and provider details.

UK NHS outage expected to resolve in “three to four weeks”

The ongoing outage at the 111 emergency services of the U.K. National Health Services is expected to be resolved  “within the next few days,” according to an update from managed service provider Advanced. Advanced provides most patient management solutions for NHS.

“For NHS 111 and other urgent care customers using Adastra and NHS Trusts using eFinancials, we anticipate this phased process to begin within the next few days,” according to the update. “For other NHS customers and Care organizations, our current view is that it will be necessary to maintain existing contingency plans for at least three to four more weeks.”

As previously reported, all NHS emergency services were facing disruptions after a cyberattack struck Advanced on Aug. 4. The “major outage” has had far reaching effects on the United Kingdom’s health system, with patients informed of likely delays when seeking services.

The update from Advanced shows the vendor is working with Microsoft DART and Mandiant on its investigation and response to safely bring systems back online, while maintaining contact with government entities like NHS to inform them of the continued progress.

So far, it appears there’s no evidence the malware has spread to customers, and it’s believed that “early intervention from the incident response team contained the issue to a small number of servers.” The Health and Care systems were isolated last week, and since then, there have been no further issues detected. 

For now, Advanced is working to rebuild and restore the impacted servers “in a separate and secure environment.” The vendor is using a “defined process by which all environments will be systematically checked prior to securely bringing them online,” so customers feel confident when reconnecting to the products once services have been restored.

Advanced also shared NHS-specific details, noting that their response team is working with the health system and The National Cyber Security Centre to validate the steps taken, “at which point the NHS will begin to bring its services back online.”

Law firm hack compromises data of 120K Priority Health patients

The hack of certain servers belonging to Warner Norcross + Judd in October 2021 led to the compromise of data belonging to about 120,000 patients with ties to Priority Health. Priority Health is the second-largest health plan in Michigan and uses the law firm for support “on occasion.”

Upon discovering “unauthorized activity” on its systems, the law firm worked to secure the network and contracted with a digital forensics firm to investigate the scope. The investigation determined personal and health information was contained on the impacted servers in May.

Priority Health was notified of the impact to its patient data seven months later on June 6, 2022. The compromised data included patient names and pharmacy claim information for prescriptions filled in 2012, such as medication name, date the prescription was filled, and insurance name.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.