Breach, Ransomware, Incident Response

Health data theft at Physician’s Business Office impacts 197K patients

a patient's information is verified after a COVID-19 self-test
Nearly 200,000 patients were notified that their personal data was likely stolen after a hack of West Virginia-based Physician's Business Office in April. (Maryland Air National Guard)

Physician’s Business Office notified 196,573 patients that their personal data and protected health information was likely stolen during a hack of its network five months ago. Based in West Virginia, PBO is a medical practice management and administrative services for healthcare providers.

PBO discovered unusual activity in its network environment in April 2022 and took steps to secure the network. An outside digital forensics and incident response firm was brought on to assist, which found data stored on the network was accessed “and potentially acquired without authorization” during the hack.

Under the Health Insurance Portability and Accountability Act, covered entities and business associates are required to report any breaches of PHI affecting over 500 patients within 60 days of discovery. PBO appears to explain the delay by its “diligent” review of the potentially impacted data to identify the patients and providers tied to the data, which concluded on June 30. Providers were informed on July 26.

Its explanation for waiting another three months before sending the official notice was the coordination with providers and working “to collect current mailing addresses for all potentially impacted individuals.”

The stolen data could include patient names, Social Security numbers, dates of birth, driver’s licenses, treatments, diagnoses, contact details, disability codes, prescription information, and health insurance account details. Patients will receive free credit monitoring and identity theft protection services.

PBO has since implemented several measures to its system to bolster its information security and reduce the possibility of a recurrence.

Reiter reports weeklong cyberattack, data theft affecting 93K

A hack deployed prior to a cyberattack against Reiter Affiliated Companies led to the theft of personal and health information for the 93,000 patients tied to the health and welfare plans of Reiter Affiliated Health and Southern Pacific Farming. Reiter is the largest fresh multi-berry producer in the world, and the data appears to be tied to its employee health plans.

On July 4, Reiter detected unauthorized activity on its network, which rendered some of its systems unavailable. The notice does not explain if ransomware was behind the cyberattack. Upon discovering the intrusion, Reiter shut down network access and launched its incident response plan.

The evidence revealed that the hack actually began a week earlier, between June 25 and July 4. The attacker used the dwell time to obtain files stored on the network. The stolen data was tied to plan enrollment rosters, which contained member names, SSNs, and dates of birth.

Patients will receive credit and identity monitoring, and Reiter has since enhanced its existing security measures.

59K Reelfoot patients affected by hack, data theft

Tennessee’s Dyersburg Family Walk-In Clinic, d/b/a Reelfoot Family Walk-In Clinic, recently informed 58,562 patients that their data was stolen after a hack of “certain computer systems.”

Discovered on July 24, Reelfoot promptly took steps to stop the “suspicious activity” and launched an investigation with support from third-party forensic specialists. The review revealed the intrusion lasted for more than a month, from July 10 to Aug. 14, which enabled the attacker to exfiltrate certain data.

The stolen data varied by patient and could include names, SSNs, dates of birth, contact details, diagnoses, disability codes, lab results, prescriptions, medical records, treatment data, driver's license numbers, financial account details, claims data, patient IDs and other identifiers, and billing information. Impacted individuals will receive complimentary credit monitoring services.

In response to the incident, Reelfoot worked to improve the security of its environment and is currently adding further technical safeguards to its information security measures. The provider “will continue to train and educate its employees about information privacy and security best practices.”

OakBend Medical Center still recovering systems after attack

OakBend Medical Center is nearly finished recovering the systems impacted by a cyberattack deployed three weeks ago. The latest update on Sept. 22 shows the Texas hospital has brought nearly all clinical systems back online.

Hospital officials say they're "continuing to make steady progress in restoring all of the systems affected by the recent ransomware attack," while working with an electronic forensics company to help identify the extent of the data theft the hospital reported last week.

As previously explained, the Daixin threat group claimed the attack and posted data proofs on its leak site with allegedly more than 1 million records that include personally protected information and protected health information like SSNs, data on medical services, treatment information, and other sensitive data.

The hospital is nearly finished with its recovery efforts, which previously led to communication issues. The IT team has since implemented multi-factor authentication for outside users and installed a new software system to monitor for future threats and ensure the malware from the attack has been eradicated.

Choice Health data offered for sale by threat actor

A notice to the Maine Attorney General shows Choice Health reported that a security configuration issue on a single server exposed a database containing PHI of 22,767 patients, which was accessed by a threat actor and later offered for sale online. The patient data is tied to Humana, which “has a contract with Choice Health to sell Medicare products on our behalf.”

Choice Health learned a threat actor was “offering to make data available that was allegedly taken from [its] database” on May 14. Four days later, Choice Health confirmed the misconfiguration of a single database that was caused by a third-party service provider.

The investigation confirmed a hacker accessed the exposed database and obtained certain files several months earlier on May 7. But “at the time, Choice Health believed the affected data was comprised solely of lead generation and marketing information that belonged exclusively to Choice Health and not to any of their carrier partners.”

Choice Health initially sent a notice to the Maine AG on June 8 with those details. However, a further investigation revealed on July 26 that the stolen data did indeed include carrier partners’ information, including Humana and informed the insurer of the patient data impact on Aug. 5. The list of affected patients was provided on Aug. 29.

The stolen data contained patient names, SSNs, dates of birth, contact details, health insurance data, and Medicare beneficiary identification numbers.

Choice Health worked with the third-party service provider responsible for the misconfigured database to fix the security settings. The impacted database is no longer accessible through the internet. They’ve since enhanced their data security to prevent a recurrence, which includes requiring multi-factor authentication for all access to database files.

French Hospital update shows threat actors leaked patient data

On Aug. 21, the French hospital Center Hospitalier Sud Francilien (CHSF) reportedly fell victim to a cyberattack, which locked down the network and led to care diversion processes for patients. The network, business software, storage systems, medical imaging, and the information system for patient admissions were rendered “inaccessible for the time being.”

Hackers were demanding hospital officials pay a $10 million ransom demand to unlock the impacted systems. The latest update shows the hospital refused to pay the extortion demand. Its health minister Francois Braun issued this statement on Twitter: “I condemn in the strongest terms the unspeakable disclosure of pirated data from theCHSF.”

“We will not give in to these criminals,” he added. “All state services are mobilized alongside the South Francilien Hospital Center in Corbeil-Essonnes.” 

Cybersecurity researcher Damien Bancal, who first uncovered the stolen data leak, explained to local media that the information includes lab results and medical scans all tied to patient security numbers. In response, hospital officials are urging patients and staff to be on the alert for potential fraud schemes.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.