Ransomware, Breach, Compliance Management

Eskenazi Health confirms patient data stolen prior to ransomware, EHR downtime

The Sidney and Lois Eskenazi Hospital is pictured at Eskenazi Avenue and Dr. Harvey Middleton Way in Indianapolis, Indiana, USA.  (Momoneymoproblemz/CC BY-SA 4.0)

Eskenazi Health confirmed the threat actors behind the ransomware attack launched on Aug. 4 exfiltrated patient data prior to the deployment and leaked the stolen information online in the days following the attack and subsequent network outage.

The Indianapolis-based health system was forced into electronic health record (EHR) downtime procedures after the attack was launched, prompting the IT to quickly shut down the IT network to prevent the attack from spreading and to protect patient safety. The incident impacted all Eskenazi Health care sites.

But officials have continued to stress that patient care has in no way been impacted by the attack, as the health system previously established and practiced disaster recovery plans based on similar scenarios. An Aug. 8 notice showed the EHR and website have since been brought back online.

Although the latest update does not explain the current status of the IT team’s recovery efforts on the network, Eskenazi Health “is open and operating with patient procedures and appointments underway” and “treatment of COVID-19 patients and our vaccination efforts are unaffected.”

The attack has also impacted the local Marion County Public Health Department, which caused issues for individuals attempting to obtain death and birth certificates. Both entities previously stated they’re continuing to analyze the remaining systems to safely bring them back online.

During the IT team’s ongoing forensic evaluation of the systems, they discovered some data belonging to the health system was obtained by the threat actors and released online. As previously reported, the Vice Society ransomware group claimed the attack and released data they claimed to have stolen from the health system last week.

The forensic team has identified the exfiltrated files and “have begun the painstaking process of examining those files for any personal patient or employee information.” The health system will then identify the impacted patients and release secondary breach notices as required by The Health Insurance Portability and Accountability Act.

Notably, Eskenazi Health had at least another 30 days to report the incident to patients, as HIPAA requires providers to inform patients and the media of data breaches within 60 days of discovery. The early notification can enable patients to take steps to defend against fraud attempts and monitor their credit reports.

The notice also shows the IT team has found no evidence that any “files were ever encrypted,” and officials stressed they have no intention of making any payments to the hacking group.”

“Our system worked as it should and the quick action by staff, in accordance with our information security protocols, enabled us to maintain the safety and integrity of our patient care,” officials said in a statement.

For now, Eskenazi Health is continuing to work with the FBI on their investigation into the attack.

Atlanta Allergy & Asthma sends breach notice 7 months after data theft

Threat actors gained access to the network of Atlanta Allergy & Asthma (AAA) in January and exfiltrated a subset of sensitive patient data, including protected health information. But the specialist is just now releasing breach notices, far outside the HIPAA-required 60-day timeframe.

Notably, the breach was reported to The Department of Health and Human Services on April 5 as impacting 9,851 patients: still outside the 60-day limit. The breach notices were sent to patients on Aug. 20.

The attackers first gained access on January 5, 2021 and lasted until January 13, 2021, when it was discovered. At the time, DataBreaches.net reported the data leak and outlined the various types of patient information leaked during the incident.

But AAA officials said it did not determine data was exfiltrated until July 8, by working with a third-party cybersecurity team. The caveat could support AAA’s defense around the delayed breach notification.

The investigation found the threat actors obtained and leaked full patient names in combination with one or more data element, including Social Security numbers, financial account numbers and or routing numbers, diagnosis, treatment information, care costs, procedure types, provider names, treatment locations, dates of service, patient account numbers, and health insurance data.

Metro Infectious Disease Consultants email hack impacts 172K patients

Metro Infectious Disease Consultants (MIDC) recently notified 171,740 patients that their data may have been compromised after the hack of several employee email accounts in June. Upon discovery, MIDC worked to contain the incident and secure the accounts.

An investigation launched with support from an outside forensic security firm did not find evidence of misuse, but access to the data contained in the accounts could not be ruled out. 

The incident review found some accounts contained patient information that varied by patient, including names, contact information, account numbers, insurance details, dates of birth, prescription information, clinical data, SSNs, and driver’s licenses.Patients whose SSNs were compromised will receive free identity protection and credit monitoring services.

The forensic security firm is also working with MIDC to assess the security of both the email and computer systems, as well as recommended security enhancements.

CarePointe ENT ransomware attack impacts 49K patients

A ransomware attack on Indiana-based CarePointe ENT potentially compromised the data of 48,742 patients, according to a news release. Officials said they couldn’t rule out unauthorized access to patient information and are notifying all current and former patients of the attack.

On June 25, CarePointe ENT first detected the incident and moved quickly to stymie the impact. An investigation was launched with assistance from its security team. The evidence suggests that the attackers were only seeking a ransom payment and not the data contained on the network.

Further, the investigation did not find any specific misuse of information, but officials said they could not rule out access to data. The compromised data could include patient names, contact details, dates of birth, SSNs, medical insurance information, and other health-related data.

CarePointe is working to bolster its threat detection and adding restrictions to its remote access endpoints to better defend against the modern threat landscape.

A2Z Diagnostics reports months-long employee email hack

The hack of several employee email accounts at A2Z Diagnostics over the course of two months potentially compromised the data of 35,587 patients. The notice does not detail when the access was first detected, just that the investigation concluded on June 28.

The New Jersey specialist partnered with an outside cybersecurity team to investigate the scope of the incident and found attackers accessed more than one email account between February 2, 2021 and April 2, 2021.

The forensics review determined the accounts contained troves of patient information that varied by patient and could include names, SSNs, birthdates, driver’s licenses, state IDs, diagnoses, health insurance details, provider names, treatment types, care sites, clinical data, and medical procedure information.

Not all A2Z patients were affected. In response to the incident, the specialist has enhanced its technical safeguards and bolstered its multi-factor authentication software.

Revere Health notifies 12,000 patients after 45-minute phishing attack

A 45-minute-long phishing attack against Revere Health resulted in the compromise of personal and health data belonging to about 12,000 patients. The phishing email impersonated the U.S. Agency for International Development (USAID), which researchers tied to the Nobelium hacking group

The incident impacted just one employee account and was detected within the hour. But the investigation concluded some patient information was exposed during the attack; specifically, data belonging to patients of Revere Health’s Heart of Dixie Cardiology Department in St. George, Utah. 

Officials believe the attack aimed to target other employees with phishing emails, rather than to compromise patient data. While the risk to patients was deemed low and the investigation has not found the data being shared online, patients are being notified out of an abundance of caution.

The compromised data could include medical record numbers, dates of birth, provider names, insurance provider, and procedures. No financial data was compromised during the incident.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.