Ransomware, Threat Management, Breach, Risk Assessments/Management

California health plan facing network disruptions after alleged Hive ransomware attack

HHS OCR (Sarah Stierch/CC BY 4.0).

Partnership HealthPlan of California (PHC) is currently experiencing computer system disruptions and working to recover its network with support from third-party forensic specialists. Multiple reports allege the Hive ransomware group is behind the attack.

Its official website notice does not explain the underlying cause, but DataBreaches.net was first to report that Hive ransomware actors have taken responsibility for the attack. The post has since been removed, but screenshots of its dark web leak site previously displayed data proofs  allegedly exfiltrated from the PHC network before ransomware was deployed.

The proofs contained approximately 850,000 unique records, containing 400GB of data. Hive claimed to have deployed the ransomware on March 19. Again, the official website makes no such statement, nor did the ransomware group reveal any alleged patient data on the site before it was taken down.

The notice shows the health plan is currently investigating the incident and working to “safely restore full functionality to affected systems, and determine whether any information may have been potentially accessible as a result of the situation.”

PHC will notify relevant parties if any patient information was potentially accessed during the incident. The health plan has also established a number of helplines for specific medical needs or questions.

It appears the network disruption has disabled PHC’s ability to receive or process Treatment Authorization Requests, the form required to gain pre-approved funding for treatment, including the Medi-Cal approved assistive technology. Providers are being asked to to provide the necessary treatment for the next two weeks, and the TARs will be retroactively completed.

PHC is the second healthcare entity to report ongoing network outages in the last week, bringing the total number of healthcare provider disruptions to four this year, so far.

Portions of the Oklahoma City Indian Clinic network remain down after an alleged Suncrypt ransomware incident deployed around March 21, while East Tennessee Children’s Hospital and Taylor Regional Hospital have restored most of their network functions after falling victim to similar incidents earlier this year.

Weeks-long cyberattack on CRMC led to patient data access

About three months after falling victim to a cyberattack and weeks-long network outage, Capital Region Medical Center in Missouri notified 17,578 patients that their data was accessed during the security incident.

As previously reported, CRMC reported network telephone outages around Christmas 2021 that disrupted certain telephones and computers, including its website. The network was taken down as a precaution, with clinicians operating with previously established electronic health record downtime procedures to maintain safe, effective patient care.

The incident was later confirmed to be a cyberattack. Much of the network was restored within three weeks, including the patient portal, online bill pay, and critical services. CRMC was able to maintain patient services, as it expanded administrative services to support patient registration and routine follow-ups.

The initial investigation did not find evidence of unauthorized disclosure, but patients and employees were urged to monitor statements for any suspicious activity.

The recently released breach notice shows the investigation has concluded, and officials determined that the third-party actors gained access to files containing personal and health information. There’s no evidence the EHR database was accessed.

The compromised data included patient names, contact information, dates of birth, medical data, and health insurance details. For some, Social Security numbers, driver’s licences, and financial account information was included in the accessed data.

CRMC is continuing to evaluate its current security practices to identify measures able to bolster its measures.

100K patients impacted by May 2021 attack on home care provider

Nearly 10 months after a cyberattack, 100,488 patients tied to Grandison Management and Towne Home Care are being notified that their personal and protected health information was exposed to the attackers.

Towne Homecare detected and stopped a cyberattack on May 17, 2021, which resulted in “unauthorized access to individuals’ personal and medical information.” Upon discovering the hack, the providers turned off network access and launched an investigation. In response, the provider reviewed all network locations where sensitive data could have been viewed.

The breach notice shows the investigation concluded on Jan. 4, which confirmed the impact to patient data. The notices redact the types of information accessed during the incident, outside of patient names and contact information.

Law Enforcement Health Benefits ransomware attack impacts 85K

A ransomware attack deployed against Law Enforcement Health Benefits (LEHB) on Sept. 14, led to the theft of data tied to more than 85,000 individuals. The attack encrypted files stored on the network.

The investigation concluded on Feb. 25, finding that the hackers exfiltrated files containing personal information from the network. The data could include SSNs, driver’s licenses, dates of birth, financial account details, health insurance information, and medical data, such as diagnoses and treatments. The information varied by individual.

LEHB has since taken additional steps to secure its network and improve internal procedures to identify and defend against a recurrent event.

After cyberattack, CSI Laboratories reports theft of patient data

Georgia-based CSI Laboratories fell victim to a cyberattack on Feb. 12, which disrupted certain portions of its information systems. The cancer testing and diagnostics laboratory quickly moved to isolate and secure the impacted systems.

On Feb. 25, CSI discovered an attack exfiltrated certain files ahead of the attack, which included documents containing patient information. The investigators have been working to analyze the impacted files to identify the scope of the data theft and obtain contact information.

The exfiltrated data could include patient case numbers, names, dates of birth, addresses, medical record numbers, and health insurance information. None of the files contained SSNs or financial data. CSI officials explained that “in some cases, it will be very difficult, if not impossible, for anyone to further use the information that was accessed.”

CSI is continuing to work with a forensic investigation firm to find the cause of the hack, as it continues to secure the systems and data. The impacted systems have since been carefully restored, and its security team is continuing to monitor the network or any unusual activity.

The incident is listed on the Department of Health and Human Services breach reporting tool as impacting 312,000 patients. But the Texas Attorney General site shows 4,840 Texans were affected.

SuperCare Health reports PHI breach from July 2021

A four-day hack of California-based SuperCare Health in July 2021 led to possible exposure of protected health information. The breach was reported to HHS as impacting 318,379 patients and members of partner entities.

First discovered on July 27, SuperCare contained the incident and launched mitigation efforts to block the nefarious activity and secure the network with assistance from an outside cybersecurity firm.

The investigation found the hacker accessed certain systems between July 23 and July 27. Its investigation concluded on Feb. 4 that the impacted files contained patient files. The notice does not explain the lengthy forensics process, which led to notices being sent outside the 60-day requirement outlined in The Health Insurance Portability and Accountability Act.

The compromised data varied by patient and could contain names, contact details, dates of birth, patient account number, hospital or medical groups, medical record numbers, health insurance details, testing, diagnostic, and treatment information, and claims data, among other health information. SSNs and driver’s licenses were involved for a small subset of patients.

SuperCare reported the incident to the FBI and has since bolstered its security measures.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.