CommonSpirit Health confirmed that threat actors accessed patient data before a ransomware attack took down multiple hospitals nationwide. (Air Force)

CommonSpirit Health issued an update on the ransomware attack that brought down multiple hospitals across the country for more than a month, confirming the threat actors first gained network access weeks before the attack and patient data was, indeed, accessed.

As previously reported, the attackers first struck CommonSpirit on Oct. 2 and spurred network IT outages at various care sites operated by the country’s second-largest nonprofit hospital chain. While reports suspected all 142 hospitals and 700 care sites were impacted, the attack did not affect Dignity Health, TriHealth, Virginia Mason Medical Center, or Centura Health.

The impact was much smaller than originally projected, as was the data impact.

The total number of patients has yet to be shared on the Department of Health and Human Services breach reporting tool, but the breach notice shows only health information from Franciscan Medical Group and/or Franciscan Health in Washington was accessed — a small fraction when considering the scope of CommonSpirit’s reach and overall hospital outages.

The notice also shows that hospital networks were taken offline proactively to contain the spread and secure the network. With support from an external cybersecurity specialist, the investigation found that the attackers first gained access on Sept. 16, using the dwell time to access files of certain current and former patients, as well as some family members.

The investigation into the data impact is ongoing, but it appears seven hospitals and provider clinics collectively known as Virginia Mason Franciscan Health, an affiliated entity of CommonSpirit. So far, it appears the compromised data includes names, contact details, dates of birth, and a unique ID used internally by the entity.

Law enforcement is continuing to investigate the cyberattack, as well, and CommonSpirit returned the affected systems to the network with additional security and monitoring tools.

Data of 2.2 million patients stolen in pediatric EMR hack

Connexin Software, an electronic medical records and practice management software vendor for pediatric physician practice groups, recently notified 2.22 million patients that their data was accessed and stolen by a third-party threat actor during a hack of an internal computer network.

According to the notice, approximately 119 provider offices were impacted by the hack. With its report to HHS, the incident is now the third-largest healthcare data breach reported this year.

A “data anomaly” was detected on Connexin’s network on Aug. 26, which prompted an investigation. Two weeks later, they discovered an unauthorized party “accessed an offline set of patient data used for data conversion and troubleshooting,” and removed it from the network.  

An analysis found the stolen data varied by patient and could include names, guarantor names, parent or guardian names, contact details, dates of birth, Social Security numbers, highly specific health insurance information, treatments, procedures, diagnoses, prescriptions, provider names, medical record numbers, and billing and/or claims data,

Connexin officials stressed that the live EMR system wasn’t hacked during the incident, nor were any systems, EMRs, or databases belonging to physician practice groups. The vendor has since reset all enterprise passwords and moved all patient data into a more secure environment.

Law environment is continuing to investigate the incident, as Connexin works to enhance its security and monitoring capabilities to prevent a recurrence.

DHCHD informs 70,000 patients of systems hack, data theft

A systems hack against Dallam Hartley Counties Hospital District (DHCHD) in Texas on Sept. 28, led to the theft of protected health information tied to nearly 70,000 patients.

The notice suggests the “cybersecurity incident” was a ransomware attack or another malware variant, as DHCHD “took measures to contain the incident” and contacted law enforcement. Only some of DHCHD’s systems were impacted.

An investigation supported by a third-party forensics firm found that the attacker first gained access to the network the day before it was detected and used the access to acquire a subset of files containing patient data, like names, SSNs, health insurance information, demographic details, and limited medical information. 

The EMR application was not accessed during the incident. All impacted patients are being offered complimentary credit monitoring and identity theft protection services. DHCHD is currently working to bolster its security.

85,000 Mena Regional Health patients informed of data theft

The data of 84,814 patients tied to Mena Regional Health System in Arkansas were recently notified that their data was exfiltrated more than a year ago on Oct. 30, 2021.

The notice uses careful language, omitting when the incident was first discovered. Instead, MRHS explained that the investigation revealed on “Nov. 8, 2022 that one or more of the files removed by the unauthorized party” contained patient information. It’s an important distinction, as HHS recently reminded providers of the HIPAA-required 60-day timeframe for reporting.

What’s clear is that the incident was caused by an actor removing some patient files from the network. The data included patient names, SSNs, dates of birth, driver’s licenses, government IDs, financial account details, medical record or patient account numbers, diagnoses, treatments, provider names, lab results, prescriptions, and health insurance information.

The stolen and/or accessed data varied by patient, and all patients whose SSNs were compromised will receive credit monitoring services.

CCA Health California reports monthslong hack, data exfiltration

Approximately 15,000 CCA Health California current and former health plan members were recently notified that their data was exfiltrated from the insurer’s network during a monthslong hack that began as far back as May 4.

The incident was detected on Sept. 16, which  “disrupted the operations” of a portion of the IT systems of what was formerly known as Vitality Health Plan of California, now owned by CCA Health California.

Once the systems were secured, an investigation was launched with outsider support and law enforcement was notified. They found that a threat actor used the lengthy downtime to remove certain files, some of which contained patient data. Only CCA Health California's systems were accessed during the incident.

The stolen or accessed data involved member information, such as names, SSNs, dates of birth, contact details, demographic information, passport numbers, diagnoses, treatments, prescriptions, medical record numbers, lab test results, provider names, dates of service, and/or health insurance and plan member information.

CCA Health California has since improved its existing security safeguards, monitoring capabilities, and other technical measures.