Breach, Ransomware, Incident Response

Florida hospital still diverting some EMS patients 5 days after cyberattack

The doors outside of a hospital emergency room

Tallahassee Memorial Health is continuing to divert some emergency care patients five days after a reported IT security issue, despite making progress in its recovery efforts.

The Florida health system shut down its network after an incident was detected the evening of Feb. 2 and has been operating under electronic health record downtime procedures as it works to remediate the threat. The investigation is ongoing.

TMH has been “proactively working to solve” the incident with support from law enforcement, which has brought some of its care services back online. Notably, the health system canceled surgeries between Thursday and Monday, but is now “performing limited surgeries and procedures.”

The networks for its labor and delivery facility, as well as its connected physician practices, are operational. However, clinicians are still leveraging paper processes for registration, admission, and during care, which is causing expected delays in care.

“Our teams are working around the clock in collaboration with outside consultants to investigate the cause of the event and safely restore all computer systems as quickly as possible,” according to the latest notice. But as with most healthcare security incidents, recovery is often slow-going. For some of the largest health systems, EHR downtime can last up to four weeks.

TMH is one of two U.S. health systems responding to a security incident while in EHR downtime this week. Atlantic General Hospital in Maryland is still recovering from a significant ransomware attack deployed around Jan. 28. As previously reported, the incident has caused some interruptions to patient care.

But all hospital services remained open, outside of its pharmacy, outpatient imaging, and pulmonary function testing services. A website notice shows imaging and walk-in lab services remain closed. The hospital has not provided an update outside of the initial report.

Data of 300K Highmark patients impacted by phishing attack

A successful phishing attack against a Highmark employee in December potentially compromised the data of 300,000 patients.

The notice shows an employee was sent an email with a malicious link, which compromised their email account for two days between Dec. 13 and Dec. 15. Upon discovery, Highmark immediately shut down the account, reset passwords, and implemented network blocking.

However, the compromise enabled the threat actor to access emails within the account, some of which contained patient data.

The data varied by patient and could include names and Social Security numbers, as well as enrollment information like group names, identification numbers, claims data, treatment information, dates of service, procedures, and prescription information. For some patients, financial information, contact details, and email addresses were also compromised.

Highmark is continuing to bolster its email security controls, as it provides employees with further cyber and phishing training to help prevent future attempts.

Website hack impacts 62,777 Sharp HealthCare patients

Sharp Healthcare is notifying 62,777 patients of a recent website hack that potentially compromised their protected health information. Sharp Health is a nonprofit healthcare group based in San Diego.

On Dec. 12, a hack was detected on a server that supports the Sharp Health website. The IT team took the affected servers offline and launched incident response protocols. The forensics later determined the activity was tied to a threat actor accessing a website server for several hours, which led to the access of a single file containing patient data. 

The data varied by patient and could include patient ID numbers, invoice numbers, payment amounts, and provider names. No financial data or further identifiers were compromised during the incident. Sharp Health stressed that only patients “who paid a bill or invoice using the online bill payment service between Aug. 12, 2021, and Jan. 12, 2023” were affected.”

The health group has since enhanced its website security tools and is continuing to monitor its “systems to proactively identify additional safeguards.”

Cardiovascular Associates’ network hack leads to patient data theft

A network hack against Cardiovascular Associates led to the theft of data for 441,640 patients tied to its Alabama care sites.

First discovered on Dec. 5, a threat actor gained access to “certain systems” within the CA network. After securing the impacted systems, an investigation was launched with support from an outside forensic firm. The forensic evidence revealed the access enabled the actor to copy some personal and health data from the network for a week between Nov. 28 and Dec. 5. 

The stolen information could include demographic details, SSNs, health insurance information, treatment information, medical record numbers, dates of service, provider names, diagnoses, health assessment information, tests and imaging, and billing and claims data. Some passports, driver’s licenses, credit and debit card information, and other financial account details were also affected.

In response to this incident, Cardiovascular Associates has added further security and monitoring enhancements to minimize the risk of a recurrent incident.

Ransomware attack leads to data exfiltration for New York medical group

Regal Medical Group, Lakeside Medical Organization, ADOC Medical Group, and Greater Covina Medical in New York was hit with a ransomware attack on Dec. 8, which led to the exfiltration of data tied to over 3.3 million patients. It's the biggest healthcare data breach reported so far this year and impacts more patients than the third-largest incident reported in 2022.

The health group is known collectively as Regal, and its notice shows the cyberattack began on Dec. 1 but went undetected for one week.

After experiencing “difficulty in accessing some servers,” Regal performed an extensive review that found malware on some of its servers. The subsequent investigation later found the incident was caused by a threat actor accessing and exfiltrating data from its systems.

A third-party team helped the medical group with its response to the incident, including restoring access to the systems and analyzing the impacted data. The stolen data could include names, SSNs for some patients, dates of birth, contact details, diagnoses, treatments, lab test results, prescriptions, radiology reports, and health plan numbers.

Regal is providing all impacted patients with a year of free credit monitoring and has since bolstered its security and protocols.

Data of 54K Howard Memorial patients stolen during weeks-long hack

A network hack deployed against Howard Memorial Hospital in December led to the exfiltration of data tied to 53,668 patients. HMH detected the hack on Dec. 4 after the actor publicly claimed to have stolen patient data from its network.

An investigation confirmed the allegations and determined the threat actor first gained access on Nov. 14. Upon discovery, HMH secured the network and performed a comprehensive review to identify the potentially stolen information.

But “ultimately, HMH made the decision to notify all current or former patients and employees, in an abundance of caution, due to a potential impact to their information,” according to the notice. 

The data possibly accessed or stolen by the attacker could include SSNs, contact details, dates of birth, health insurance information, medical record numbers, medical histories, diagnoses, treatments, and physician names.

Update: This story was updated on Feb 10 to include the number of patients affected by the Regal incident, newly reported to the Department of Health and Human Services.

Update 2: This story was updated on Feb. 21 to include the number of patients impacted by the Cardiovascular Associates incident as reported to HHS.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.