Breach, Ransomware, Incident Response

Logan Health cyberattack, server hack leads to data access of 214K people

SEIU home care workers speak out and take action through the use of visual media and imagery to demand that Congress finish the job and build back better to move the nation forward near the U.S. Department of Health and Human Services on Jan. 4, 2022, in Washington. (Photo by Paul Morigi/Getty Images for Care Is Essential)

Logan Health Medical Center recently notified 213,543 patients, employees and business associates that their personal and health data was possibly accessed, after a sophisticated cyberattack on its IT systems led to the hack of a file server containing protected health information.

On Nov. 22, the Montana provider responded to suspicious activity and “evidence of unauthorized access” to one of the eight file servers used for business operations. An investigation revealed certain files were subjected to unauthorized access, including employee PHI. The electronic medical record was not affected by the security incident.

The compromised data varied by individual and could include names, Social Security numbers, dates of birth, contact information, and email addresses. All impacted individuals will receive a year of identity monitoring services.

In a notice to employees, Logan Health CEO Craig Lambrecht reminded the workforce of their “important role in protecting patients’ private health information” and issued a number of reminders on best practice security for passwords and interacting with emails from unknown senders.

Logan Health has since assessed the status of its security measures and is currently working to add further security safeguards and training to employees.

JDC Healthcare reports malware incident, 6 months later

An undisclosed number of patients tied to JDC Healthcare Management are just now being notified of a malware incident from August 2021, which could have resulted in the theft of their protected health information. JDC is a dental care service provider.

First discovered on Aug. 9, a malware incident impacted certain company systems that resulted in efforts to restore the impacted systems. An investigation led with third-party forensic specialists determined JDC data was accessed and possibly acquired by the attackers for several weeks, beginning on July 27, 2021.

JDC launched a “comprehensive programmatic and manual review” to determine the type of information impacted by the incident. The review confirmed the potentially stolen data could include SSNs, clinical information, demographic details, driver’s licenses, health insurance data, financial information, and other sensitive information.

The provider is reviewing and bolstering its existing security policies. According to the notice, the delayed reporting of the August 2021 incident was not caused by law enforcement. Under The Health Insurance Portability and Accountability Act, covered entities are required to report any breaches of PHI impacting more than 500 patients within 60 days of discovery.

DC, Houston health departments report COVID-19 portal incidents

In recent weeks, both the Houston and Washington, D.C., health departments have reported security incidents that led to the inadvertent disclosure of COVID-19 test result information to the wrong patients.

For the Houston Health Department, 10,291 individuals who used its COVID-19 test results portal were informed that a bug in the platform allowed 3,500 users to potentially access data belonging to other individuals. The incident was not caused by a malicious actor.

The exposure was tied to about 10,000 COVID-19 test results and related health information, including names, contact information, dates of birth, email addresses, and testing dates and results. The portal does not collect Social Security or financial information. The department was informed of the security issue on Jan. 6, spurring the deactivation of the portal within 48 hours.

A review of the incident determined the exposure was caused by a “technical issue within the portal that erroneously linked some user accounts.” The department has since implemented additional measures to prevent a recurrence.

Meanwhile, a report from a local NBC outlet revealed the D.C. Health Department in the nation's capital was also forced to take its COVID-19 test result portal offline for similar reasons. Soon after its launch on Feb. 14., some users reported that after inputting their names and other relevant personal information into the portal, they received results from other individuals.

The report shows the names and dates of birth of the affected users weren’t similar. In response, the D.C. Health Department took down the site to investigate. The health department issued a statement that said they received reports from a “small number of users,” but for now, it’s unclear. D.C. residents were encouraged to report similar incidents to the health department.

The portal was taken down in mid-February, and at the time of publication, it remains offline as the department continues its investigation.

Monongalia Health System reports second breach in several months

Just two months after informing 398,164 patients that their protected health information was compromised during a phishing attack and email account takeover, the West Virginia health system is notifying individuals of another potential HIPAA data breach.

On Feb. 28, Mon Health began notifying individuals that it recently investigated and responded to a data security incident that led to the potential access of their data. Unusual activity was discovered in the IT network on Dec. 18, “which disrupted the operations of some of Mon Health’s IT systems.”

The incident resulted in Mon Health taking a “significant portion of its IT network and and systems offline,” resulting in the launch of downtime procedures. The notice does not detail the specific cause of the incident, just that it led to the unauthorized access of information tied to patients, providers, employees and contractors.

The investigation confirmed the electronic health record systems were not affected by the incident. However, threat actors accessed the network from Dec. 8 and Dec. 19, when the intrusion was discovered. Mon Health was unable to rule out access to the files on the impacted IT systems.

For patients and members of Mon Health's employee health plan, the affected data could include names, SSNs, contact details, Medicare Health Insurance Claim Numbers, dates of birth, patient account numbers, insurance plan member ID numbers, medical record numbers, dates of service, claims data, and other sensitive medical and clinical treatment information.

The incident affected Mon Health and its affiliated hospitals: Monongalia County General Hospital Company, Stonewall Jackson Memorial Hospital Company, and Preston Memorial Hospital. 

Mon Health has since conducted an enterprise-wide password reset, and implemented network hardening measures, in addition to contacting law enforcement.

As noted, the new notice comes just two months after a previous notice detailing a patient and employee data breach tied to a phishing attack. These were two separate incidents. As previously reported, Mon Health discovered a contractor’s email account was taken over by threat actors, who were leveraging the account access to send emails seeking to obtain funds via fraudulent wire transfers.

The subsequent investigation found the phishing attack that provided access to multiple employee email accounts and the emails and attachments over the course of three months.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.