Breach, Ransomware, Incident Response

Capital Region Medical Center reports system-wide network outage

The Maryland Health Department is experiencing disruptions to its operations and COVID-19 reporting capacity. Pictured: Maryland residents receive the Moderna COVID-19 vaccine through the Anne Arundel County Department of Health at a community COVID-19 vaccination clinic at the Metropolitan United Methodist Church March 23, 2021, in Severn, Md. (Ph...

Although the cause has yet to be disclosed, Capital Region Medical Center is currently experiencing a network telephone outage across its systems affecting its telephone and computers, according to a Friday social media post.

Phone calls to the Jefferson City, Missouri-based lead to a busy signal, and the CRMC website leads to an empty Go-Daddy placeholder. Local news outlets report that calls that do make it through to the operator are unable to be transferred due to the ongoing issues.

The cause of the network outage remains unclear. Reports show CRMC took the network down as a precaution, after discovering unusual activity in its phone system. The hospital is currently operating under previously practiced electronic health record downtime procedures to “ensure care continuity.”

Technicians are currently working to repair the systems, suggesting it may not be a cyberattack-related incident. There’s no current time estimate for when the systems will be brought back online.

Texas ENT reports systems hack, data theft impacting 535K patients

A threat actor hacked into Texas ENT Specialists’ computer systems for a week in August and stole troves of medical information tied to 535,489 patients. Officials said they learned of the security incident on Oct. 19.

The notice is scarce on details, but it appears that Texas ENT discovered the data theft during the investigation of the security incident. A third-party cybersecurity firm assisted with the analysis, which showed a hacker accessed the computer systems and took copies of Texas ENT files, including patient information, between Aug. 9 and Aug. 15.

A review of those files determined the data contained patient names, dates of birth, medical record numbers, and procedure codes used for billing purposes. This type of data is commonly used for medical fraud. Officials said the actor also stole a subset of Social Security numbers.

Texas ENT’s electronic medical record was not subjected to the hack. Officials said they’re currently strengthening the existing privacy and security program by implementing additional safeguards and technical measures.

Disruption of operations continue at Maryland Department of Health

The Maryland Department of Health is continuing to experience disruptions to its operations and COVID-19 data reporting capacity, after a recent network security incident. While some systems were brought back online, other systems are still undergoing restoration efforts.

MDH first detected unauthorized activity on multiple network infrastructure systems on Dec. 4 and immediately took its servers offline to protect the network, in addition to enacting further countermeasures to contain the incident. The Maryland chief information security officer established an incident command infrastructure to investigate and restore the network.

According to officials, previously implemented cybersecurity measures prevented many core functions from being impacted. So far, there’s no evidence of any data compromise, and COVID-19 vaccination and testing services continue to operate as normal, and vaccine, hospitalization, congregate, and school outbreak data reports are up-to-date.

However, COVID-19 surveillance data, previously posted on a daily basis, has only been partially restored. The health department and its partners are working on full restoration of surveillance data. COVID-19 cases, deaths, and other surveillance data are also out of date.

“In order to prevent additional damage and avoid compromising sensitive health information, we are being methodical and deliberate in restoring network systems while prioritizing health and human safety functions,” officials said in a statement. 

The IT and cybersecurity teams are continuing to work on fully restoring reporting data, but officials don’t have an estimate for when that might occur. MDH is currently working with state and federal law enforcement on the ongoing criminal investigation.

2.1M patients notified of DNA Diagnostics Center breach

DNA Diagnostics Center recently notified 2.1 million patients that their data was potentially accessed and/or stolen when a systems’ hack led to the acquisition of an archived database containing personal information collected between 2004 and 2012.

The database was tied to a national genetic testing system acquired by DDC in 2012, which was never operated by the provider. As such, the data is not associated with DDC. The affected patients were informed the data included SSNs and payment information.

Upon discovering the hack on Aug. 6, DDC’s security team worked to contain and secure the threat, while coordinating with law enforcement.

The investigation confirmed the hacker removed certain files and folders from portions of the DDC network between May 24 and July 28, when it was discovered. The provider worked with outside cybersecurity experts to retrieve the stolen data.

Further, DDC’s main network was unaffected and its actively used systems and databases were not involved in the security incident. The investigation concluded on Oct. 29, when DDC began notifying the affected individuals.

With 2.2 million impacted patients, the breach is among the 10 largest reported healthcare incidents of 2021.

Broward County Public Schools’ ransomware attack impacts health plan data

A previously disclosed ransomware attack on Broward County Public Schools affected the health information of 48,684 individuals. The Florida school system operates its own health insurance plan, which falls under The Health Insurance Portability and Accountability Act.

On March 7, a ransomware attack was deployed by Conti threat actors and spurred a network outage that negatively impacted online schooling at the time. The hackers demanded $40 million from the school district to prevent the release of information they claim to have stolen ahead of the ransomware deployment. At the time, officials said they would not pay the ransom.

The investigation into the attack found the threat actors first gained access to the systems for nearly four months between Nov. 12, 2020, and March 6, 2021, using their access to steal available data. In April, the investigators confirmed the actors stole data and released the files online.

In June, officials determined the released data included individuals’ names, SSNs, and further data tied to its self-insured plan, such as dates of birth and benefits selection information. All impacted individuals will receive free credit monitoring.

While officials were transparent about the initial attack and investigation, the data breach was not reported to the Department of Health and Human Services until Nov. 29, 2021 — far outside the HIPAA-required 60 day timeframe.

The school district has since implemented additional security measures to improve its security posture.

Ransomware attack on public accountants leads to HIPAA-PHI breach

Certified public accountants Bansley and Kiener recently reported that a ransomware attack on Dec. 10, 2020, led to the theft of client data on May 24. The Midwestern CPAs conduct payroll compliance engagements for health, pension, and other benefit plans.

After the ransomware attack, B&K responded to the incident, upgraded its computer security, and restored the affected systems from backups, resuming normal operations. At the time, officials said they believed the attack was contained, as they found no evidence of data exfiltration.

But in May, officials said they were notified that certain information was stolen ahead of the ransomware deployment, prompting yet another investigation. Despite the length of time between the attack and notice of data theft, B&K did not notify HHS until a year after the ransomware attack was deployed.

The 60-day timeline required by HIPAA is imperative for individuals impacted by breaches of protected health information to take swift action to prevent fraud and other data misuses.

B&K could only confirm that the information present on the systems at the time of the attack was names and SSNs.

BioPlus promptly notifies patients of monthlong hack

An undisclosed number of patients who leveraged BioPlus Specialty Pharmacy Services were recently notified that their data was accessed during a monthlong IT network hack, between Oct. 25 and Nov. 11.

BioPlus first detected the incident on Nov. 11 and promptly secured its systems, launching an investigation with assistance from law enforcement and a third-party forensic firm. Officials said they discovered the threat actor accessed information tied to certain patients during the time of access.

The investigation could not rule out access to information pertaining to former and current patients. The data could include names, dates of birth, medical record numbers, current and former health plan member ID numbers, claims data, diagnoses, and or prescription details. For a smaller subset of patients SSNs were also affected.

BioPlus has since implement additional technical security measures to better monitor its systems.

Two Sound Generations’ security incidents lead to PHI breaches

The data of 103,576 Sound Generations patients was potentially compromised after a hacker gained access to its computer systems on July 18 and again on Sept. 18. Sound Generations is a Washington-based nonprofit provider serving older adults and adults with disabilities.

Upon discovering the unauthorized access, an investigation was launched to determine the scope of the hack. Investigators were unable to rule out whether the hacker accessed the encrypted data stored on the computer systems during the access period.

The impacted systems contained patient information, including names, contact information, dates of birth, and health insurance status. The systems also included data for individuals participating in Sound Generations’ EnhanceFitness program, which means the attacker could have accessed their health insurance number. 

The compromised data could also include health history and conditions, if it was provided to Sound Generations. The provider does not collect or store client SSNs, drivers’ license numbers, financial account information, and credit or debit card information.

Sound Generations continues to monitor for potential misuse of patient information and has still found no evidence. The provider has since bolstered its cybersecurity controls and reset its passwords.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.