Breach, Ransomware, Incident Response

Data for 2 million patients stolen in largest healthcare breach so far of 2022

Information of 2 million patients was stolen after a breach of Shields Health Care Group. Pictured: A medical laboratory technician checks samples from medical laboratory machinery. (Tommie Horton/Air Force)

Two million patients from nearly 60 healthcare providers were recently informed that their data was stolen after the hack of a third-party vendor, Shields Health Care Group. Shields Health provides MRI, PET/CT, and outpatient surgical services for covered entities.

The breach tally makes it the largest healthcare data breach reported so far this year.

The “suspicious activity” was discovered on the Shields network on March 28, which “may have involved data compromise.” Shields took steps to contain the incident, and an investigation was launched with support from third-party forensic specialists. Law enforcement was also notified.

The investigation found that a hacker gained access to certain Shields systems for three weeks between March 7 and March 21. During the dwell time, the attacker stole “certain data” from the network. According to the notice, “although Shields identified and investigated a security alert on or around March 18, data theft was not confirmed at that time.”

Shields has since determined the stolen data varied by patient and could include names, Social Security numbers, dates of birth, contact details, provider names, diagnoses, billing information, insurance details, medical record numbers, patient IDs, and other medical or treatment information.

The investigation into the incident is ongoing. But the hack forced Shields to rebuild certain systems. The vendor is currently working to review and enhance its existing security measures.

Medical malpractice law firm reports data access from December

Heidell Pittoni Murphy & Bach (HPMD), the medical malpractice litigation counsel for New York Presbyterian Hospital, recently began notifying 114,979 patients that their data was acquired during an apparent extortion incident in December 2021.

Suspicious activity was discovered within the network environment on Christmas 2021, prompting the IT support team to respond and partner with a third-party forensic specialist to analyze the activity. Notably, HPMD “immediately engaged a law firm specializing in cybersecurity and data privacy to investigate further.”

The preliminary assessment revealed an attacker  “gained control over certain firm information for a period of time until HPMD was able to negotiate its return.” The data could include names, dates of birth, SSNs, and medical treatment information, which was “part of a tranche of data accessed and briefly held” by the hacker.

HPMD has since confirmed the security of the network environment and ensured “no further unauthorized activity has continued.” The firm has also reviewed and revised its security policies and procedures.

6 more providers, 117K patients added to ECL breach tally

At least six more healthcare providers and their patients have been added to the ongoing Eye Care Leaders breach tally, which has already claimed well over 200,000 patients. The cloud-based electronic medical record vendor is currently defending itself against a provider-led lawsuit claiming ECL experienced multiple ransomware attacks and outages earlier this year.

The latest filings with the Department of Health and Human Services include 1,337 Burman & Zuckerbrod Ophthalmology patients, 2,646 Fishman Vision patients, 13,461 Associated Ophthalmologists of Kansas City patients, 48,587 Finkelstein Eye Associates patients, 38,000 Moyes Eye Center patients, and 50,631 patients from AU Health.

All of the breach notices mirror earlier notifications from providers also impacted by the Dec. 4, 2021, ransomware attack deployed against ECL. An attacker gained access to the myCare Integrity platform and its data, then deleted databases and system configuration files. 

“A lack of available forensic evidence prevented Eye Care Leaders from ruling out the possibility that some protected health information and personally identifiable information may have been exposed to the bad actor,” according to one notice.

The compromised data could include patient names, dates of birth, SSNs, diagnostic details, and health insurance information.

Fishman Vision and Moyes Eye Center have since terminated their vendor relationships with Eye Care Leaders, while Finkelstein Eye is “working with Eye Care Leaders to evaluate additional measures and safeguards to protect against this type of event in the future.” Meanwhile, AU Health “assessing alternative ophthalmology EMR platforms.”

Yearlong Homestead Hospice email hack impacts 28K patients

The data of 28,332 patients of Homestead Hospice & Palliative Care in Georgia was potentially compromised during a yearlong hack of multiple employee email accounts between April 1, 2021, and March 31, 2022.

Upon discovery, the accounts were secured. The subsequent investigation determined “some patient information” was involved in the incident, which may include names, contact information, SSNs, dates of birth, medical record numbers, health insurance details, and other care information related to treatment at Homestead.

Of note, during its investigation into the email hack, Homestead discovered some former workforce members failed to return their work laptops, which contained patient information. Homestead has since contacted those employees to “confirm that patient information contained on the laptops, if any, has not been misused or disclosed.”

Homestead has since reinforced its employee education around patient privacy and implemented additional security measures for its email system.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.