Ransomware, Incident Response

Ongoing ransomware, data theft, leaks pummel health care organizations

Network outages and service disruptions have become a prevalent fallout from cyberattacks in healthcare. After the Kronos incident, providers must evaluate how to maintain business continuity. (Photo by Cate Gillon/Getty Images)

Ransomware attacks and data theft are continuing to prove problematic for the health care sector, leading to a number of breach notices reported to the Department of Health and Human Services and dark web postings of stolen health information. 

In the last month, more than a dozen providers have reported falling victim to ransomware attacks or other systems hacks that directly resulted in the theft of protected health information. And screenshots shared with SC Media show multiple ransomware hacking groups have released patient-related information they allegedly stole from health care networks.

Notably, many of these providers are nonprofits that provide assistance to communities, as well as substance abuse patients and those with disabilities.

The reports confirm data exfiltration is an ongoing threat to the health care sector and the importance of continuous monitoring to better detect system intrusions. Previous Coveware data found exfiltration occurs in 81% of ransomware attacks.

Dark web data leaks

In the last two weeks, screenshots shared with SC Media confirmed Groove and Pysa hacking groups are actively targeting health care providers, with at least four confirmed postings of health data.

Ransomware newcomers Groove claims to have attacked the Robinwood Orthopedic Specialty Center in Maryland. Screenshots show highly sensitive scans of prescription forms, complete with member IDs, health plan numbers, primary care providers, effective dates, and prescription types. This type of data is commonly used in fraud attempts and tailored phishing scams.

The posting also appears to include EMR data of individual patient records.

Meanwhile, Pysa recently posted multiple zip files of data they claim Pysa partners allegedly stole from One Community Health, Woodholme Gastroenterology Associates, and Spartanburg & Pelham OB-GYN.

Vice Society claims to have attacked United Health Centers in California

A recent BleepingComputer report shows Vice Society claims to have deployed a ransomware attack on United Health Centers in California. The purported attack was launched on Aug. 31, which resulted in a network shut down and disruptions to the entire IT systems.

Earlier this week, Vice Society began leaking proofs of data they allegedly stole from UHC prior to the ransomware attack, including lab results, audits, financial information, and patient benefits.

SC Media reached out to UHC to confirm the attack, but did not receive a response by the time of publication.

Ransomware attack on small New Hampshire provider, spurs three days of EHR downtime

Coos County Family Health Services in New Hampshire was reportedly hit with a ransomware attack late Sept. 20, which drove the small nonprofit clinic into electronic health record downtime procedures for a number of days.

The attack affected the computer, email, and phone systems, which forced the provider to cancel all patient services and appointments the day following the attack. Officials said they were able to continue to provide some services to the community during the outage, including COVID-19 testing and vaccines. 

An initial review found the entire system had been compromised. The systems were partially restored in just three days.

Talbert House network cyberattack leads to data theft

A threat actor gained access to the Talbert House network on June 11, which led to a period of downtime procedures to limit and stop the attacker from further nefarious activities. But before the intrusion was detected, the actor was able to access and exfiltrate the data belonging to 45,000 individuals. 

Talbert House is a nonprofit community resource center focused on prevention, assessment, treatment and reintegration.

Upon discovery, Talbert House partnered with an outside cybersecurity firm to secure the network and bolster its security systems. The investigation is ongoing, but the review has confirmed the attackers stole a number of files tied to clients, employees, and other third parties.

The client data could include protected health information, contact details, medical data, health insurance details. For all other parties, SSNs, driver’s licenses, and financial account information may have been accessed during the hack. All impacted individuals will receive free credit monitoring and identity theft protection services.

Talbert House is continuing to review its security protocols and processes, in addition to enhancing employee training and education.

Healthpointe Medical Group

California-based Healthpointe Medical group recently notified 11,000 patients that their data was exfiltrated from their network, after an attacker exploited a number of servers. The notice does not detail when the intrusion was detected or for how long the attacker remained on the network.

Instead, a systems review confirmed on July 7 that an attacker gained access to Healthpointe’s systems and exfiltrated a number of files and folders. Two weeks later, officials completed a review and determined that some stolen information included protected health information.

The patient-related data included names, diagnoses, lab results, medications and treatments, among other clinical information, as well as demographic details and medical claims data.

In response to the intrusion, Healthpointe took measures to restore its systems and ensure the network was secured from further access. The provider is currently reviewing its data security policies and procedures and will take steps to bolster existing protocols to prevent a recurrence. Healthpointe also issued a company-wide password reset, added technical safeguards, and updated its environment.

Indian Creek Foundation

Indian Creek Foundation is just now notifying patients that their data was accessed and possibly stolen ahead of a ransomware attack launched on Feb. 6. The notice shows certain portions of the network were encrypted at that time, prompting the provider to take systems offline and launch other containment measures with help from an outside forensic firm.

The investigation determined certain folders were accessed and exfiltrated during the incident. Indian Creek Foundation partnered with another third-party firm to programmatically and manually review the information to determine the patients who were affected and the types of data.

The incident review into the cyberattack and its impact ended on July 14. Under the Health Insurance Portability and Accountability Act, providers must notify patients within 60 days of discovering a breach — not at the close of an investigation.

Upon discovery the breach had occurred, officials explained that they “continued to diligently review and reconcile the information with internal records in furtherance of identifying the individuals to whom the data related and the appropriate contact information for those individuals.” The review concluded on Aug. 24.

The compromised data varied by individual and could include names, SSNs, driver’s licenses, health insurance details, treatments, diagnoses, and financial account information. All patients will receive free credit monitoring and identity restoration services.

Indian Creek Foundation is currently reviewing and enhancing the existing policies and procedures and intends to implement further security safeguards.

Vista Radiology ransomware attack; data accessed prior to deployment

Ahead of a ransomware attack against Vista Radiology on July 10, threat actors accessed and viewed several servers containing patient data. Portions of the network were encrypted during the attack, which led the security team to take the network offline. It appears the attackers only interacted with a small portion of the network.

The initial findings determined the attack appeared designed to just encrypt the network and not exfiltrate data. But a further review found the attackers indeed accessed a number of servers ahead of the ransomware deployment, some of which contained patient-related information. The data included names, dates of birth, SSNs, radiology studies, and radiologist comments.

Notably, the notice affirms “the investigation has not demonstrated that any significant amount of data was exfiltrated from our network;” the review is ongoing. Vista was able to restore the impacted network from backups and has no intention of negotiating with the hackers.

The review could not determine the specific data accessed during the incident, although the impacted servers contained a limited amount of patient data. The provider is treating the incident as a breach and notifying 3,634 patients.

Vista has since enhanced its network security, including a complete rebuild and redesign of its network security. A forensic investigation enabled the provider to identify and correct discovered network vulnerabilities, which possibly led to the successful exploit. Vista is continuing to work with law enforcement on its investigation.

Buddhist Tzu Chi Medical Foundation

Nearly 19,000 individuals were recently notified that some of their protected health information was potentially exposed during a ransomware attack on the Buddhist Tzu Chi Medical Foundation.

On July 15, officials said they discovered some portions of the network were inaccessible, while certain computers were operating unusually, which prompted them to take the servers offline. The foundation launched its incident response protocols and an investigation. 

Officials said they could not definitively rule out access to the protected health information stored on the impacted systems, nor whether the data was exfiltrated. The data could include names, contact information, diagnoses, and dental X-rays of patients.

Buddhist Tzu Chi has since upgraded the security software of its workstation and are planning to migrate to a cloud-based dental x-ray platform to eliminate the need for hosting images on the local network.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.