Ransomware, Breach, Incident Response

Hive claims stealing Consulate Health data; provider reports vendor incident

The exterior of the U.S. Department of Health and Human Services
The exterior of the U.S. Department of Health and Human Services is seen Washington. (Photo by Alex Wong/Getty Images)

The Hive ransomware threat group claims to have stolen 550 GB of data from Consulate Health Care. The actors’ dark web posting appeared around the same time a notice was posted on the Consulate website that warned patients of potential access to their data.

Consulate Health owns 140 nursing homes across the country and also provides other senior care services. A STAT report from August shows the company has been dealing with financial issues in recent years, including filing for bankruptcy at six of its care sites.

The size of the organization may have widespread data impacts, but the number of patients has not yet been listed on the Department of Health and Human Services breach reporting tool. Consulate Health has also not confirmed whether the vendor incident is tied to the Hive posting.

Currently, they’ve determined that one of Consulate’s vendors experienced a “security incident” in early December. Threat actors targeted portions of the network, prompting incident response plans and an investigation to determine the scope. The analysis confirm the threat actors may have accessed records containing personal information.

The investigation into the incident is ongoing, but Consulate Health issued its notice in an effort of transparency. The provider intends to notify patients as soon as they’ve determined whether their information was contained in the files accessed by the actors. For now, patients are being urged to “remain vigilant”  and monitor for unauthorized activity.

Consulate Health is “in regular touch with our vendor, and we are closely monitoring the investigation, as they work to finalize the investigation as soon as possible.” according to the notice.

Disruptions continue at CentraState HealthCare after cyberattack

CentraState is continuing to face network issues after falling victim to an apparent cyberattack, first launched during the morning hours of Dec. 30. 

An update posted last week shows four departments are still facing care disruptions after the attack. No walk-ins are being accommodated at its outpatient radiology. Instead patients are being sent to a care partner site. Only one lab appears to be holding routine appointments and walk-ins, and patients are being asked to call ahead for appointments at other labs.

As previously reported, the hospital’s CEO confirmed the provider organization was dealing with technical issues stemming from an IT security issue, which prompted care diversion processes and other appointment delays and cancellations.

The impacted sites are operating under electronic health record downtime procedures with paper processes, which has allowed for patient care to continue without any adverse effects.

Patients are still being urged to contact 911 for emergencies, as it continues to respond to the security issues and service impacts. However, officials say their “high standards of patient care remain in place, and our emergency department continues to function at near full capability with some limited exceptions.”

After ransomware attack on MedStar Mobile, 612K notified of data breach

The data of 612,000 patients was potentially compromised after a ransomware attack on MedStar Mobile Healthcare in October. MedStar Mobile is an ambulance service provider for 15 cities in Tarrant County, Texas.

Deployed on Oct. 20, 2022, network system issues prompted an investigation that discovered a threat actor accessed a restricted location in the network. A number of patient files were stored in the impacted system, but MedStar Mobile was unable to confirm whether those files were actually accessed by the attacker.

The compromised data involved patients who received care from the ambulance service provider, and for many, only non-financial billing information was impacted. For a smaller number of individuals, names, dates of birth, contact details, treatment information, and other identifiers were exposed.

MedStar Mobile explained its previously implemented security measures enabled prompt action against the attack and also reduced the proliferation of the attack. With support from a third-party firm, the provider is working to bolster its systems and data security.

271K Avem Health patients informed of May data breach

Approximately 271,000 Avem Health Partners patients are learning that a “data security incident” at a data storage vendor, 365 Data Centers, possibly compromised their protected health information. Avem is an administrative and technology service provider.

It’s unclear when Avem was notified of the incident, but 365 Data Center confirmed that data stored on their servers was likely subjected to access by a threat actor during an incident in mid-May. As HHS recently reminded providers, data breaches are to be reported without undue delay and within 60 days of discovery. 

The delay was possibly tied to a review of the files stored on the impacted servers, as per its breach notice. The review found that the compromised information included names, dates of birth, Social Security numbers, driver’s licenses, health insurance details, diagnoses, and treatment information.

Patients whose driver’s licenses or SSNs were compromised are being offered credit monitoring and identity theft protection services. 

The incident did not directly affect Avem systems. Avem is currently examining its vendor relationships and the security measures of their connected partners.

Fitzgibbon Hospital informing patients of June 2022 breach

A network hack on June 6, 2022, at Fitzgibbon Hospital in Missouri led to the possible access or acquisition of protected health information for 112,072 patients. But patients weren't notified of the incident and data impacts until January 2023.

The notice appears to attribute the delay to only discovering the possible data compromise on Dec. 1. It remains to be seen how the delay will be viewed by HHS.

An investigation was launched in June with support from a third-party cybersecurity team, which is ongoing. The response team has confirmed personal and health data were accessed and stolen “in connection with the incident.”

The stolen data varied by individual and could include SSNs, driver’s licenses, financial account numbers, health insurance details, and/or medical information. Not all Fitzgibbon Hospital patients were impacted by the network hack. Patients with compromised SSNs will receive free credit monitoring services.

Patients learning of Maternal & Family Health April 2022 data breach 

Maternal & Family Health Services (MFHS) recently began notifying an undisclosed number of patients that their data was accessed during a ransomware attack in April 2022, becoming the third provider to fail to timely report a PHI incident this month.

Upon discovering the attack on April 4, MFHS engaged a third-party forensic incident response firm for support with securing their systems and to conduct a forensics investigation. The team found that while the incident was discovered in April, the attackers had access to the system for eight months — beginning in August 2021.

The forensics confirmed patient data was accessed during the incident, including contact details, dates of birth, SSNs, driver’s licenses, financial account/payment card information, usernames and passwords, medical data, and/or health insurance information.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.