Breach, Ransomware, Incident Response

Maryland hospital facing outages after ‘significant’ ransomware attack

Maryland state flag
A ransomware attack has disrupted the network of Maryland's Atlantic General Hospital. ("Maryland State Flag" by Au Kirk is licensed under CC BY 2.0.)

Atlantic General Hospital in Maryland is experiencing network disruptions and outages after a significant ransomware attack deployed this weekend, according to local news outlet WMDT47.

The ongoing outages have caused "limited" patient interruptions, as clinicians maintain operations with downtime procedures. The hospital is continuing to treat patients with all services remaining in operation, outside of its pharmacy, outpatient imaging, and pulmonary function testing.

A notice posted to the Atlantic General website also notes the walk-in outpatient lab “is temporarily closed until further notice.”

The hospital has not added any further notices to its website, and its social media account makes no reference to the outages. The ongoing incident is currently under investigation with support from an outside cybersecurity firm.

SC Media has reached out to Atlantic General for confirmation and will update this story as more information becomes available.

Lutheran Social Services of Illinois informs 184K of 2021 hack

Approximately 184,000 individuals tied to Lutheran Social Services of Illinois are learning that their data was likely accessed during a ransomware attack more than one year ago on Dec. 31, 2021.

The Office for Civil Rights recently reminded covered entities of timely reporting of breaches to protected health information and required within 60 days of discovery by The Health Insurance Portability and Accountability Act.

The LSSI notice appears to explain the massive notification delay on a “extensive forensic investigation and comprehensive review of all the data impacted.

The ransomware attack was first detected on Jan. 27, 2022, prompting LSSI to disable and isolate the affected systems to contain the threat. The subsequent investigation led with support from an outside cybersecurity firm professionals experienced in handling these types of incidents.

The review concluded in December 2022, which confirmed the possible access to patient data occurred for nearly a month between Dec. 31, 2021, to Jan. 27, 2022. The compromised data included names, dates of birth, Social Security numbers, biometric data, driver’s licenses, financial details, health insurance information, diagnoses, and treatments.

In brief: LockBit adds two healthcare providers

The LockBit ransomware group recently added two more healthcare provider organizations to its dark web leak site: Juva Skin & Laser Center in New York and Arizona Liver Health. Neither of the entity’s have confirmed the alleged incidents.

LockBit has notoriously targeted the healthcare sector, despite members claiming to avoid provider organizations. The group was behind the cyberattack on the Center Hospitalier Sud Francilien in France in August 2022.

Their latest publicized healthcare incident was an attack and subsequent network outage at Hospital for Sick Children (SickKids) in December. LockBit blamed the incident on a “partner” actor and issued an apology, before issuing the hospital a free decryptor to remediate the issues it caused.

HHS recently issued an alert on the group, after researchers observed LockBit shifting to triple extortion tactics.

UCHealth reports data theft tied to third-party vendor Diligent

An undisclosed number of UCHealth patients and employees are being notified that their data was stolen, after a threat actor gained access to the network of one of its third-party vendors. The business associate, Diligent, provides the Colorado health system with business operations tools.

The "security incident" allowed the hacker to access Diligent software and download attachments, including UCHealth files. Those files included employee and patient data. No UCHealth systems were compromised by the incident.

The stolen data varied by individual and could include names, contact information, dates of birth, and treatment-related details. For some, SSNs and other financial information was also downloaded.

94K UCLA Health patients alerted to tracking tool privacy incident

UCLA Health has joined the growing list of providers to report privacy incidents through the use of tracking tech. While Meta and Google Pixel are not directly named, the notice references the June 2022 report detailing the alleged scraping of hospital data via Pixel tools.

The OCR breach reporting tool shows 94,000 UCLA health patients were notified by the health system that its use of “analytics tools” on its website and mobile app possibly disclosed its personal and health data to third parties.

“Specifically, UCLA Health’s analytics tools on an appointment request form completed on the UCLA Health website or the UCLA Health mobile app may have captured and transmitted to our third-party service providers certain limited information from the appointment request form,” according to the notice.

The notice adds that the use of these tools began in April 2020. Much like the disclosures from WakeMed and Aurora Health, UCLA Health installed the tech to understand how its community interacted with health system webpages for “more effective and efficient communication.”

Upon learning of the data scraping concerns in June 2022, UCLA Health promptly disabled the use of the tools and launched an investigation.

The review confirmed that the analytics tools captured and disclosed patients’ URL/website addresses, provider names, specialty, ad campaign names, page views, IP addresses, third-party cookies, and hashed values of certain fields on the appointment request form, such as patient names, email addresses, mailing addresses, phone numbers, and genders. 

The review confirmed only the appointment request forms present on the UCLA Health website and the UCLA Health mobile app were affected. The UCLA Health patient portal was not impacted.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.