Breach, Ransomware

Cyberattack on health tech vendor QRS leads to data theft tied to 320K patients

Ambulances are seen at the Accident and Emergency department of St. Thomas’ Hospital on March 3, 2005, in London. (Photo by Graeme Robertson/Getty Images)

A cyberattack on healthcare technology services vendor QRS possibly led to the access or theft of protected health information belonging to 319,778 patients. QRS hosts the electronic patient portal for a number of healthcare provider clients and provides related services.

First discovered on Aug. 26, a threat actor gained access to one dedicated patient portal server and potentially acquired some of the data. Upon discovery, QRS took the server offline, notified law enforcement, and launched an investigation with assistance from an outside forensic security firm.

The systems review determined the attacker accessed a single server for three days between Aug. 23 and Aug. 26. During the hack, the actor accessed and possibly acquired files tied to QRS clients, including the personal and health information of certain individuals. The hacker did not access other QRS systems or client systems.

The impacted data varied by patient but could include names, contact details. Dates of birth, Social Security numbers, patient identification numbers, portal usernames, treatments, and or diagnoses. Patients whose SSNs were compromised will receive free identity theft protection services.

The QRS breach joins the ever-increasing list of vendor-related security incidents reported in the healthcare sector in 2021, with some of the largest breaches this year caused by vendors.

Community Medical Centers network hack

Approximately 656,000 Community Medical Centers Healthcare Network patients were recently notified their health information was compromised during a systems hack in early October. CMC is a nonprofit community health center in California.

On Oct. 10, CMC shut down a number of systems after it detected suspicious network activity. Officials said they determined an attacker accessed the network, potentially compromising personally identifiable information and patient data. The affected information could include names, contacts, SSNs, dates of birth, demographic details, and medical information.

All patients are being offered free identity monitoring services.

CMS worked with an outside cybersecurity firm to examine the scope of the incident and ensure the security of the network. The health center has since reviewed and altered the security policies and procedures for its systems and server security, further reviewing and updating the manner in which data is managed on the network.

Sea Mar reports massive data theft, longstanding hack from 2020

Nonprofit Sea Mar Community Health Centers in Seattle recently notified a number of patients of a serious hacking and data exfiltration incident that began in December 2020, but was not detected until June 24, 2021.

At the time of discovery, Sea Mar was notified that threat actors copied a subset of data from its digital environment. In response, Sea Mar quickly worked to determine the scope of the hack and just what information was affected by the incident with support from outside cybersecurity leaders.

The investigation revealed the attackers first gained access to the network in December 2020, which lasted for four months until March 2021.

The forensics concluded in August 2021, finding the protected health information taken during the hack included names, contacts, SSNs, dates of birth, client IDs, full treatment information, diagnostics, dental images, and claims data. Patients whose SSNs were compromised during the hack will receive free credit monitoring and identity theft protection services.

Cyberattack disrupts services at Canadian health system

The healthcare system in Newfoundland and Labrador are just now resuming some chemotherapy services four days after a cyberattack forced the province’s public provider to cancel appointments, as the network was shut down at all four of the province’s care sites.

The outages began on Saturday, Oct. 30, and the since-confirmed cyberattack has forced officials to only take on urgent procedures. The attack spurred IT disruptions across the health system forcing the cancellation of thousands of appointments, including X-rays and chemotherapy. COVID-19 test results were also unavailable.

The Eastern Health care site was the hardest hit, and officials said some care sites will not return to normal services until Monday, Nov. 8, at the earliest. Eastern Health has been maintaining care services using paper processes and only taking on urgent cases.

Providers have been calling patients whose appointments are continuing as scheduled, while all other patients have been told to assume their appointment has been canceled if they don’t receive a phone call.

The security team has been attempting to restore the impacted systems, and successfully began taking on some routine appointments on Nov. 5, almost a week after the attack was launched.

By Thursday, Eastern Health and Central Health began bringing some systems back online, including those used for care management and finance services. However, the systems only have information from the previous weekend and will still need to be updated.

Some local reports purport the attack was caused by ransomware, and officials have been cautious about providing specific details due to concerns the perpetrators are monitoring the media reports.

"We want this fixed. We'll do whatever it takes, and we'll work out the price later," Health Minister John Haggie told local media outlet CBC. "The full functionality of the Meditech suite is not there yet and will take some time yet to get there."

“The capacity pre-attack and the capacity now may be different,” he added.

For now, restoration efforts continue across the health system. Officials say the Western Health branch will have scheduled downtime over the weekend to perform maintenance on the network. Some systems are back to using the electronic health record, while some are still leveraging paper processes.

Prairie Lakes Health investigating cyberattack

On. Nov. 3, Prairie Lakes Healthcare System (PLHS) in South Dakota reported it was investigating a cyberattack launched on Oct. 6 that disrupted some network and IT systems.

Upon discovering the incident, the IT staff took action to secure the systems, while working to minimize service disruptions and restore critical systems to allow for continued hospital operations. Officials explained the care teams were able to maintain patient care with minimal impact.

The investigation is ongoing, and PLHS is working with third-party cybersecurity firm to support the remediation efforts. What’s clear so far is that an attacker gained access to several IT systems. The IT has since restored functionality of all IT systems.

JEV Plastic Surgery reports near-two monthlong hack

More than five months after it was hacked, JEV Plastic Surgery and Medical Aesthetics in Maryland is notifying certain patients that their data was accessed and likely acquired during a malware attack in the spring.

The notice does not detail when the attack was first discovered, just that a hacker accessed its network for nearly two months between April 30 and June 14. The incident included a malware infection on certain computers that disrupted some services for a limited amount of time.

JEV Plastic Surgery noted its investigation concluded on Sept. 8, which found the attacker may have viewed or taken some patient information during the incident. The data included consultation notes, medical histories, surgical notes, patient names, and dates of birth.

The specialist has since enhanced its systems security with support from third-party specialists.

Ransomware attack on Professional Healthcare Management

Tennessee-based Professional Healthcare Management recently notified an undisclosed number of patients that their data was compromised during a September ransomware attack. PHM primarily supports the home healthcare services industry, providing related healthcare services.

PHM discovered the “sophisticated” ransomware attack on Sept. 14 and took steps to secure the network with support from a third-party forensic and incident response firm. The investigation is ongoing, but officials were able to determine the impact data could include protected health information.

The data could include full names, SSNs, health insurance details, Medicaid and Medicare numbers, prescriptions, and diagnoses codes.

The support vendor has since implemented additional cybersecurity measures and enhanced its cyber policies, procedures, and protocols, in addition to retraining employees on cybersecurity measures.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.