Ransomware, Breach

Ransomware actors steal data of 400K patients from LA Planned Parenthood

A Planned Parenthood office is seen on Nov. 30, 2015, in New York City. (Photo by Andrew Burton/Getty Images)

Planned Parenthood Los Angeles filed a breach notice with the California Attorney General, notifying 400,000 patients that their data was exfiltrated during a weeklong hack launched by ransomware threat actors.

PPLA detected suspicious activity on its computer network on Oct. 17 and immediately took the systems offline. After notifying law enforcement, the provider contracted with a third-party cybersecurity firm to assist with investigating the incident.

The investigation found attackers gained access to the PPLA network between Oct. 9 and Oct. 17, wherein they were able to exfiltrate some files on the network. An analysis of the impacted files revealed the stolen data varied by patient but combined names with contact details, dates of birth, insurance information, and clinical data, like diagnoses, procedures, and prescriptions.

The notification provides no further details into the incident, and SC Media has not seen any dark web posting of data tied to PPLA. The provider has since enhanced its existing security measures, including increasing network monitoring and hiring additional cybersecurity talent and resources.

Ransomware attack hits Howard University College of Dentistry

Howard University College of Dentistry recently notified 80,915 patients that their health information was potentially compromised by a ransomware attack launched on Sept. 3. The university previously notified the public of the incident shortly after discovering the ransomware threat.

An outside forensics firm assisted with the recovery efforts and investigation, while the response team insulated the IT environment to contain the impact of the virus. On Sept. 24, it was determined a system containing patient dental records was affected by the ransomware.

The investigators could find no evidence the attacker viewed or accessed any patient records. But as those files were rendered inaccessible by the ransomware, Howard is issuing notifications in compliance with The Health Insurance Portability and Accountability Act.

The compromised data contained patient information about dental visits performed between Oct. 5, 2019 and Sept. 3, 2020, with the notice stating that certain data “may not be available.” The system contained patient names, dates of birth, contact information, dental record numbers, health insurance numbers, dental history information, and some Social Security numbers.

Howard has since enhanced its cybersecurity measures to prevent a recurrence.

After hack and data exfiltration, Medsurant Health still assessing patient impact

The Department of Health and Human Services breach reporting tool shows 45,000 patients of Medsurant Health were impacted by a hacking incident on a network server. However, the public breach notice states the Pennsylvania provider is still working to determine just who was impacted by the incident to send patient breach notifications.

Medsurant Health received an email from an unknown account on Sept. 30, which alleged the actor exfiltrated data from the provider’s environment that contained protected health information. Given the potential impact to PHI, an investigation was launched into the incident.

A forensic review confirmed the Medsurant systems were accessible by an attacker for nearly two months between Sept. 23 and Nov. 12, during which time the actor was indeed able to steal and or access the data contained in the systems. Some of the data was also encrypted during the hack, but Medsurant was able to restore the information from backups.

The stolen data could include full patient names, SSNs, contacts, diagnoses or conditions, dates of birth, and claims data.

The systems’ review is ongoing, as the provider works to determine the identities and contact information for the impacted individuals. As seen in frequent breach notices, forensic analysis can take several months. It appears that Medsurant worked to remain within the HIPAA-required 60 day notification timeframe. Early notice allows patients to take action to defend against fraud.

Medsurant has since implemented additional network monitoring and is working to review existing policies and procedures. The provider intends to implement additional administrative and technical safeguards to further secure its systems data.

TriValley Health reports ransomware, data theft incident

A ransomware attack on TriValley Health in October led to the theft of health information tied to 57,468 patients. The attack was discovered on Oct. 11 and impacted multiple networks and servers containing both PHI and protected personal information.

Notably, the actors behind “Groove,” which has since been painted as a hoax, previously took credit for the TriValley incident in a dark web posting and threatened to release data they claim to have stolen. The TriValley website was down during that time frame, but the post contained no proof of the data.

Upon discovering the incident, TriValley engaged a third-party forensics firm to assist with its remediation efforts and investigation. The FBI was also contacted for assistance and guidance as to how to respond. The investigation concluded on Nov. 4, finding that an attacker gained access to the systems and possibly obtained some information.

The analysis could not definitively determine the initial date of access, nor the records accessed or stolen during the hack. The notice does not provide details on the types of information possibly affected by the hacking incident. But all impacted individuals will receive free credit monitoring and identity protection services.

TriValley is in the process of implementing further safeguards for its existing cybersecurity infrastructure and enhancing its employee cybersecurity training, while continuing to work with the outside cybersecurity firm to improve its security policies, procedures, and protocols.

True Health New Mexico report IT system hack

About 63,000 individuals with ties to True Health New Mexico were recently notified that their data was potentially compromised after an actor gained access to its IT network, first discovered on Oct. 5.

THNM immediately took steps to contain the threat to the impacted systems and partnered with an outside cybersecurity team to help with the investigation. The notice does not outline when the access first began but that the evidence indicated only THNM systems were affected by the incident.

The investigation determined the affected files may have contained information tied to current and former insurance members, certain providers, and former members of the health plan New Mexico Health Connections, which used to receive administrative services from True Health.

The compromised data could include names, SSNs, dates of birth, contact information, email addresses, insurance details, medical information, account member IDs, provider details, dates of service, and provider identification numbers. All affected individuals will receive two years of credit monitoring services.

THNM has since supplemented its existing security monitoring, scanning, and protective measures, and “quickly restored its principal operations with no material day-to-day impact to operations.” The insurer is continuing to work with law enforcement on the ongoing criminal investigation, while monitoring for any signs the impacted data has been misused.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.