Ransomware, Breach, Email security

Law firm informs 255K of HIPAA data incident 10 months after hack

An Air Force pharmacy technician counts pills to correctly fill a prescription on Ellsworth Air Force Base, S.D. (Air Force)
Sensitive patient data may have been exposed during a number of cybersecurity incidents at organizations around the U.S. (Air Force)

Warner Norcross & Judge recently informed the Department of Health and Human Services of a Health Insurance Portability and Accountability Act data breach impacting 255,160 individuals. The law firm provides employment and immigration services to healthcare entities, including three of the largest hospital systems in Michigan.

On Oct. 22, 2021, WNJ first discovered unauthorized activity on “some of its systems” and took steps to secure the network. A digital forensics firm was brought on to investigate and to perform a “data mining and manual review.”

WNJ found that personal and protected health information was contained in the protected systems, including names, dates of birth, Social Security numbers, driver’s licenses, passports, and government IDs, annual compensation amounts, benefit contribution details, credit or debit card numbers and PINs, financial accounts or routing numbers, and other sensitive data.

The notice appears to explain the lengthy delay in notifying patients as tied to its data mining to identify impacted information and individuals. But under HIPAA, covered entities and business associates are required to report within 60 days of discovery, not at the close of an investigation.

WNJ has since “taken steps to help prevent a similar incident from occurring in the future.”

Employee email hack at Henderson & Walton Women’s Center

The protected health information of 34,306 patients tied to the Henderson & Walton Women’s Center in Alabama was compromised during the hack of an employee email hack. The notice does not explain when the hack began, just that its investigation concluded on June 24.

Upon discovering the email systems’ intrusion, HWWC secured the account and implemented additional security measures. The notices stated that “all HWWC email sent internally is encrypted. The hackers did not have access to HWWC’s server or other data storage facilities.”

The compromised data varied by patient and could include dates of birth, SSNs, medical data, health insurance details, driver’s licenses, and state ID numbers.

HWWC has since implemented additional security and privacy policies, added protections to its encrypted email system, and launched protocols for its emails containing patient information, including automatically deleting such information after three days. The provider also intends to implement “a system to eliminate the sharing of any personal information via email at all.”

CorrectHealth notifies 54K of November 2021 incident

Approximately 54,000 individuals tied to CorrectHealth, a correctional healthcare provider in Georgia, were recently informed that a “cybersecurity incident” discovered in November 2021 led to the compromise of their personal and health information.

The incident was first discovered on Nov. 10, 2021, where a threat actor gained access to multiple employee email accounts. Upon discovery, CorrectHealth launched an investigation, which concluded on Jan. 28. A three-month systems’ review followed to verify the type of information disclosed and the identity of those potentially affected by the email hack.

The investigation found that full names, contact information, and SSNs were potentially exposed during the incident. All affected individuals will receive free credit monitoring services. Since the incident, CorrectHealth has since worked with the FBI as part of a broader “investigation into the threat group responsible.” 

The provider also issued a password reset for all employees, engaged with an advanced phishing service for its email platform, implemented multi-factor authentication, added single-sign-on for clinical staff, launched weekly data security and monthly simulated phishing training for employees and added “disclaimers on all externally received emails.”

NorthStar Health reports email hack from April

The hack of an email account belonging to an employee of NorthStar Healthcare Consulting led to the possible access or theft of Georgia Medicaid information for 18,354 members. NorthStar is a business associate of the Georgia Department of Community Health.

Upon discovering the intrusion, the account was secured, and NorthStar changed account passwords, in addition to notifying law enforcement. The investigation found the threat actors accessed the impacted email account, but could not verify what, if any, data was accessed or acquired. A systems review confirmed no other email accounts or systems were affected.

The impacted account contained Medicaid member names and identification numbers, dates of birth, contact details, prescriptions, prescriber names, appeal numbers and diagnoses. 

The hack was first discovered on April 20. The notice does not explain the delay in notifying patients, but it could be attributed to “a comprehensive review to identify any individuals whose information was contained in the impacted account and potentially affected by the incident.”

NorthStar has been working with a third-party forensic specialist to confirm the security of its network, while it enhances its data security and controls.

Methodist McKinney Hospital update: 125K patients affected

An update to the Methodist McKinney Hospital, Methodist Allen Surgical Center, and Methodist Craig Ranch Surgical Center on the HHS breach reporting tool shows 125,401 patients were impacted by the systems hack and subsequent data theft by Karakurt actors in early July.

As previously reported, “unusual activity on certain systems” were discovered by the hospitals on July 5. The investigation determined threat actors copied files from the network during a two-month dwell period between May 20 and July 7, when it was discovered.

When Karakurt threatened to leak the data, the hospitals issued a website notice to inform patients of the data theft so they could take swift action to protect their privacy. The investigation was ongoing but the review confirmed the theft involved names, SSNs, contact information, dates of birth, diagnoses, treatments, medical record numbers, and health insurance details.

The initial breach notice preceded an HHS Cybersecurity Coordination Center alert warning of the ongoing targeting of healthcare by the Karakurt group. At least four provider organizations have fallen victim to the threat actor’s tactics in the last three months.

First Street Family Health cyberattack led to deletion of backup data

In a prompt notification, First Street Family Health recently notified 7,310 patients that their data was lost after a cyberattack led to access and/or theft of patient health information and the “automated deletion” of backup data for its electronic medical records.

The cyberattack was discovered on July 16. The notice does not share the threat behind the attack, just that the provider was “able to fully restore many files from the backups that were untouched by the attack.” The systems’ access began as early as July 5 and ended on July 16.

“FSFH was not locked out of the files through encryption as is often the case,” officials explained. “Instead, its files were programmatically deleted.”

As a result, FSFH was unable to recover EMR information from June 28, 2021, to July 15, 2022. The investigation found “no indication the deleted files were first viewed or exported by the cybercriminal.”

The subsequent investigation did reveal the threat actors viewed and possibly acquired the medical referral forms of a small percentage of patients and included contact details, dates of birth, SSNs, dates of service, diagnosis, conditions, lab results, health insurance identification cards and numbers, and billing details. No financial or payment card information was impacted.

Since discovering the intrusion, FSFH has worked to continuously monitor its systems and block further access, after a full password reset and the implementation of enhanced measures. The provider is working with an outside cybersecurity firm to review its security practices and strengthen protocols. The incident has been reported to federal law enforcement.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.