Breach, Incident Response, Industry Regulations

Ohio hospital diverting ambulances, canceling appointments amid cyberattack

An ambulance drives through the streets of Manhattan on Dec. 02, 2020, in New York City. (Photo by Spencer Platt/Getty Images)

Southern Ohio Medical Center was hit with a cyberattack early Thursday, Nov. 11, which forced the nonprofit provider into electronic health record (EHR) downtime procedures. The ongoing outages have forced officials to divert ambulances and cancel some patient appointments, according to a SOMC social media posting.

“An unauthorized third-party gained access to SOMC’s computer servers in what appears to be a targeted cyberattack,” officials explained. “Patient care and safety remain our top priority as we work to resolve this situation as quickly as possible.”

Patients with canceled appointments are being contacted directly by SOMC. The latest update shows the downtime has led to Friday appointment cancelations, including outpatient medical imaging, cancer care services, cardiovascular testing, cardiac catheterization, outpatient surgery, and outpatient rehab, as well as appointments at its medical care foundation office.

SOMC is working with federal law enforcement and an outside security firm on the investigation. Officials said they’re continuing to assess the situation and will provide further updates when possible.

The SOMC incident joins three other cyberattack-related outages reported by healthcare entities in just over a month. Currently, the Newfoundland and Labrador healthcare system is still attempting to resume full operations after a cyberattack launched on Oct. 30.

The latest advisory shows the health system is still working to safely restore systems and operations and warns province residents that it appears protected health information was stolen in the attack. Government officials say they’re still investigating the scope of the incident, but the data includes current and former patients and employees from the last nine to 14 years.

Hive ransomware claims Johnson Memorial Health attack

Johnson Memorial Health is still attempting to return to normal system operations, five weeks after a cyberattack that led to EHR downtime procedures and intermittent issues with its phone system. It appears the Hive ransomware group has claimed the attack, leaking data they claim to have stolen from the provider prior to deploying the attack payload.

The attack was launched on Oct. 1 and discovered by the IT team within 15 minutes, prompting an immediate system shutdown. The hospital computer and phone networks were affected by the attack and impeded providers from sharing patient information between departments, such as lab results and scans.

Care was diverted from the emergency room for about a month during the recovery.

This week, hospital leadership provided an update to local news outlets that the bulk of the healthcare tech has been restored, outside of its email system. Staff are using backup email accounts to send emails. Some aspects of the network are slower than normal, including billing and charting.

The hospital is still investigating the incident, but screenshots shared with SC Media show Hive claims to have stolen patient information tied to 150,000 individuals, including Social Security numbers and next of kin details. Hive also claims to have exfiltrated 300GB of data from the hospital’s file server. The data leak was first disclosed late Nov. 11.

Take note: Utah Imaging Associates reports breach impacting 584K

The Department of Health and Human Services breach reporting tool shows Utah Imaging Associates experienced a network server security incident that led to a protected health information breach impacting 583,643 patients.

However, there are no public notices detailing the security incident, and the UIA website only provides access to its Picture Archiving and Communication System (PACS) diagnostics viewer.

The breach is among the 10 largest incidents reported in healthcare this year.

System hack at Urology Center of Colorado affects 138K patients

The data of 137,820 The Urology Center of Colorado (TUCC) patients was potentially compromised after an actor hacked into certain parts of its network that contained protected health information.

The system hack was first detected Sept. 8, but initial access began the previous day. The notice does not explain whether there was evidence the data was accessed, just that the affected servers contained health information.

The compromised data varied by patient and could include  names, dates of birth, SSNs, contact information, medical record numbers, diagnoses, provider names, insurance carrier, treatment costs, guarantor names, and email addresses. All affected patients will receive free credit monitoring and identity protection services.

TUCC has since reset all account passwords and intends to implement additional security measures.

Maxim Healthcare reports PHI breach from 2020, far outside HIPAA timeline

A monthslong email-related security incident in 2020 possibly led to the access of protected health information tied to 65,267 Maxim Healthcare Group patients. However, the Maryland provider is just now notifying patients, 11 months after discovering the account intrusion.

On Dec. 4, Maxim detected unusual activity in several employee email accounts. The investigation into the incident found the accounts were accessed without authorization for two months between Oct. 1, 2020, and Dec. 4, 2020. Investigators were unable to determine the precise email messages or attachments viewed or accessed by the attacker.

Maxim then performed a thorough programmatic, manual review of the account contents to determine the information contained in affected accounts, which concluded on Aug. 24. The notice explains the team took another month locating contact information, then waited until Nov. 4 to release notices about the breach to patients.

Under The Health Insurance Portability and Accountability Act, covered entities and business associates are required to notify patients of PHI-related breaches within 60 days of discovery — not at the close of an investigation. Maxim joins a number of other covered entities that have failed to timely disclose data breaches this year.

HHS has historically issued serious civil monetary penalties against organizations that failed to timely notify patients of data breaches. In 2017, Presence Health became the first entity to face enforcement action for failing to timely notify patients of a breach. Just 836 patients were affected by an Oct. 22 breach reported to HHS in January 2014, just about a month after the 60-day timeline. The settlement included a $475,000 civil monetary penalty.

For Maxim, as previously noted, email account compromises are notoriously labor intensive and include challenging forensic reviews that can make it difficult to make a complete determination of the exact names or contact information of the impacted individuals.

However, several covered entities have successfully notified patients within the HIPAA-required timeline despite ongoing forensics reviews, which allows patients to swiftly move to protect their identity from fraud attempts.

One of the best examples was seen with the 2019 phishing campaign against the Oregon Department of Human Services. The initial notice in March 2019 informed 350,000 patients of a potential breach of their information, but that investigators were still working to analyze more than 2 million emails in the impacted accounts to determine who and what was compromised.

The investigation continued until June 2019, where the state health department released a follow-up report that informed another 300,000 patients of the potential impact to their data, as well as the security measures they’d take to prevent a recurrence.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.