Ransomware, Breach, Incident Response

DuPage Medical Group notifies 655K patients after cyberattack, outage

Healthcare providers need to better adhere to the basic security principles outlined in HIPAA, which will go along way in the fight against targeted cyberattacks. (Photo by Joe Raedle/Getty Images)

DuPage Medical Group (DMG) recently began notifying 655,384 patients that their data was compromised during a cyberattack and network outage in mid-July. With its breach tally, the DMG hack is among the 10 largest incidents reported in the health care sector in 2021, so far.

The Illinois health system previously reported that a security incident disrupted its network systems on July 13. Upon discovery, DMG launched an investigation into the impact alongside a third-party cyber-forensic specialist firm and determined the outage was caused by threat actors gaining access to the network between July 12 and July 13.

The forensic team conducted a review to assess whether patient information was affected, which confirmed the hackers had access to just certain portions of the network and the patient data stored on those systems.

The compromised data could include names, contact details, diagnosis codes, Current Procedural Terminology (CPT) codes tied to procedures, and treatment dates, along with Social Security numbers for a subset of patients. No financial information was impacted. All affected patients will receive free credit monitoring and identity theft protection.

DMG has since implemented further cybersecurity measures and is in the process of reviewing security policies to prevent a recurrence and improve its “technology roadmap.” Local law enforcement is continuing to investigate the incident.

Beaumont Health joins Accellion breach tally

Michigan-based Beaumont Health has been added to the ongoing breach tally of health care covered entities impacted by the Accellion File Transfer Appliance (FTA) hack, first reported more than eight months ago.

As previous reports showed, an attacker exploited several unpatched zero-day vulnerabilities in the FTA platform and combined the flaws with a new web shell called DEWMODE. While the motives behind the hack were unclear at first, the actors began contacting victims in January through in an attempt to extort the entities into paying a ransom.

Investigations into the incident showed the threat actors had access to the FTA and connected clients for multiple days, which resulted in the theft of data from at least 100 Accellion clients — with the health care sector the hardest hit. In fact, the Accellion incident remains the largest health care data breach this year.

For Beaumont, the impact was caused by its legal services vendor, Goodwin Procter, which used the FTA for large file transfers on behalf of its clients. Accellion notified Goodwin of the hack in January 2021, prompting the vendor to turn off the FTA and launch an investigation.

The forensic review determined certain files on the Accellion FTA were downloaded by a hacker on Jan. 20. Goodwin then contacted Beaumont about the data exfiltration, spurring an internal review. The provider confirmed that the stolen data contained health information on June 28, 2021, which was tied to 1,500 patients.

The compromised data include names, procedures, physician names, internal medical record numbers, and dates of service.

It’s been a rough year for Beaumont, as this is the second security notice released this year. In February, the provider was forced to shut down its COVID-19 vaccine appointment scheduling app, after an unauthorized actor exploited a flaw in the Epic platform.

The hack enabled 2,700 individuals to cut in line and register for unauthorized appointments. The investigation found that an actor exploited a known flaw in the Epic platform and publicly shared the scheduling pathway, which was only intended for direct recipients through ticket scheduling.

Third-party app flaw leaks Denton County vaccine clinic data

The public health department of Denton County, Texas, recently reported that a flaw in its third-party application used by its COVID-19 vaccination clinics potentially exposed data tied to 326,417 patients.

The vulnerability was first discovered on July 7, which enabled anonymous, unauthorized users to view data hosted on the system. County officials swiftly moved to shut down the application and began assessing the nature and scope of the incident. 

The forensic review confirmed there was a configuration error in the third-party app, which led to the exposure of health information. Officials then worked to identify the data impacted by the leak and concluded the incident was contained to COVID-19 vaccine data, as the county did not collect SSNs, driver’s licenses, or financial account details.

As a result, the exposed data only included names, dates of birth, contact details, and COVID-19 vaccination data.

Prior to reinstating the vaccination clinic website, the county worked with the third-party app vendor to implement additional security measures to bolster the site and prevent a recurrence.

The incident bears hallmarks to an earlier report from the Indiana Department of Health on its COVID-19 contact tracing survey. About 750,000 state residents were notified that their data was improperly accessed due to a software configuration issue.

First detected on July 2, the data included names, contact information, gender, ethnicity and race, and dates of birth. Officials said the risk to residents was low, as SSNs and medical data were not collected by the department for contact tracing use. Still, the department will provide the impacted individuals with credit monitoring as a precaution.

“We take the security and integrity of our data very seriously,” said Tracy Barnes, chief information officer for Indiana, in a statement. “The company that accessed the data is one that intentionally looks for software vulnerabilities, then reaches out to seek business. We have corrected the software configuration and will aggressively follow up to ensure no records were transferred.”

The leak is tied to UpGuard data research on Microsoft Power Apps, which showed several vulnerabilities and the potential exposure of the information contained in the apps — including those belonging to the state health departments.

Ilia Sotnikov, vice president of user experience and security strategist for Netwrix, previously confirmed via email to SC Media that the leak’s impact on individuals is relatively low and the “real scale of the issue is hard to assess." Many headlines are overstating the impact, as many of the exposed records did not include highly sensitive information.

However, there’s no way to determine that the data exposed in these apps hadn’t been harvested by a nefarious actor prior to the UpGuard report to Microsoft and the app owners.

For Sotnikov, it’s a “great example of how the impact UI design decisions can have on the decisions users make.” 

“The anonymous access enabled in Power Apps is a result of two settings that are located in different tabs in a configuration dialog box. If you enable one and skip the other, you allow everyone on the internet access to your table contents,” explained Sotnikov. 

“This behavior is by design and documented, but the connection between the settings is not obvious for someone designing the application,” he added. “This typically happens when user interface is designed by a team that understands product architecture much better than the user’s needs and scenarios.”

San Andreas Regional Center ransomware attack

A ransomware attack on the San Andreas Regional Center in California led to the threat actors potentially accessing or obtaining some patient-related data. A total of 57,244 patients were notified. SARC provides support, services, and advocacy for those with developmental disabilities.

The sophisticated attack struck on July 5, and SARC quickly secured its systems while engaging a third-party forensics firm to investigate and remediate the incident. The FBI was also contacted. SARC was able to restore its systems and operations via backups.

The investigation, concluded on Aug. 2, confirmed that the attack impacted both personal and protected health information. Although officials believe that the attackers did not obtain the vast majority of patient information, they could not verify the specific data obtained and or accessed by the attackers.

As such, all patients with data in the impacted systems are being notified of the potential impact to their data, which included patient names, SSNs, contact information, health plan beneficiary numbers, health insurance details, full-face photos, and/or comparable images, unique identifying numbers, medical data, diagnoses, disability codes, a certificate or license numbers.

“The security and privacy of the information contained within our systems is a top priority for us, and we were shocked to learn that we were one of the thousands of victims of this type of cyberattack,” said SARC executive director Javier Zaldivar, in a statement. “We are fully committed to protecting the information on our systems and sincerely regret the worry caused by this incident.”

CareATC employee email hack spurs breach notice

The hack of several employee email accounts at CareATC led to the potential exposure of protected health information tied to 98,774 patients, according to a recent notice.

On June 29, CareATC detected suspicious activity in an employee email account and moved to secure the account from unauthorized access. The provider then launched an investigation with support from third-party forensics specialists, which found two employee email accounts were hacked for 11 days between June 18 and June 29, 2021.

CareATC then performed a comprehensive review of the email contents to determine what information was present during the incident. The review concluded on Aug. 11 that the accounts contained a range of data tied to certain patients, employees, and dependents of employees and patients. The incident was contained to the email accounts.

The compromised data varied by patient and could include names, dates of birth, SSNs, driver’s license numbers, dates of birth, financial accounts details, medical histories, treatments, health insurance information, passport numbers, US Alien Registration numbers, user credentials, and electronic or digital signatures.

CareATC has since provided additional employee training on best practice email security.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.