Ransomware, Breach, Incident Response

Over 194K patients added to ongoing Eye Care Leaders breach tally

Regional Eye Associates informed more than 194,000 patients that their data was accessed and deleted from Eye Care Leaders, a cloud-based electronic medical record vendor. Pictured: An Air Force optometrist tests a patient’s eyes during an eye exam at Greenville High School, Miss., July 9, 2021. (Airman Tyler Catanach/Air National Guard)

A breach notice from West Virginia-based Regional Eye Associates informs 194,035 patients that their data was accessed and deleted from their third-party vendor’s system in December 2021, ahead of a ransomware attack.

Although Eye Care Leaders is not named directly, the notice mirrors several other provider notices tied to a ransomware attack on the cloud-based electronic medical record vendor. ECL has been embroiled in a provider-based lawsuit after a year of alleged outages tied to multiple ransomware attacks and claims of an insider-incident, in addition to the December incident.

For Regional Eye, ECL informed the provider of the incident and potential impacts on March 1. Like the EvergreenHealth and Summit Eye Associates releases, the notice was provided one month after the 60-day timeline required by The Health Insurance Portability and Accountability Act.

The Regional Eye notice sheds further light on the incident: an attack gained access to ECL’s system on Dec. 4 and “deleted several databases between the hours of 7:18 pm and 10:13 p.m. before being discovered and locked out of the system.”

So far there’s no evidence that any health information was stolen before it was deleted. However, the investigation is ongoing. As such, Regional Eye is urging patients to place fraud alerts on their credit reports to defend against identity theft.

Notably, Regional Eye is continuing to use ECL for its services and working with the vendor on their forensic investigation. ECL “has implemented technical, administrative, and physical safeguards to protect against future attacks. This includes reviewing and updating access controls, permissions, and data storage security procedures.”

Parker-Hannifin systems’ hack leads to data theft for 119K patients

The hack of Parker-Hannifin Corporation Group Health Plans’ IT systems in March, led to the exfiltration of health information tied to 119,513 patients. Parker-Hannifin is a manufacturing company focused on aerospace hydraulic equipment.

The “data security incident” was discovered on March 14, prompting Parker to deploy its incident response protocols, including shutting down certain systems and contacting law enforcement. The subsequent investigation found that a threat actor first accessed Parker’s IT systems three days before it was discovered.

During the dwell time, the unauthorized actor may have acquired certain files related to current and former employees, dependents, and Parker's Group Health Plan members. The data varied by individual and could include SSNs, dates of birth, contacts, driver's licenses, passport numbers, bank account and routing numbers, enrollment details and other sensitive data.

For a small number of individuals, the data also included dates of coverage and services, provider names, claims data, and medical and clinical treatment information.

Massachusetts behavioral health provider reports October data theft

Behavioral Health Partners of Metrowest (BHPMW) is just now informing 11,288 patients that their data was “copied from its digital environment” by a hacker on Oct. 1, 2021. BHPMW partners with local and state healthcare providers on care coordination and improved care access in Massachusetts and under contract with MassHealth and five provider agencies.

Upon being informed of the data theft in October, BHPMW secured the impacted environment and contracted with an outside cybersecurity firm to conduct an investigation. They found that a hacker gained access to the network and obtained its data between Sept. 14 and Sept. 18, 2021.

The exfiltrated data included patient names, contact details, Social Security numbers, dates of birth, client identification numbers, health insurance details, and diagnoses or treatments. BHPMW contacted the FBI and will cooperate with the ongoing investigation.

Oklahoma ambulance authority ransomware attack impacts 14K

Approximately 14,000 patients who received services from the Bryan County Ambulance Authority in Oklahoma are just now being notified that their data was stolen ahead of a November 2021 ransomware attack, six months ago.

The cyberattack struck on Nov. 24, 2021, encrypting files stored on the network. In response, BCAA disabled all access to the network and restored all the encrypted data. An outside cybersecurity team was brought on to support the investigation.

It appears the gap in reporting and the attack was caused by “an extensive forensic investigation and manual document review” that concluded on April 7. It should be noted that HIPAA requires entities to report protected health information breaches within 60 days of discovery and without undue delay.

The notice provides no further insight into the type of information stolen by the attacker, nor how long the systems were down or affected by the ransomware incident. All patients will receive free identity theft protection.

Ransomware attack on FPS Medical Center impacts 28K

Arizona-based FPS Medical Center recently notified 28,024 patients that their data was potentially compromised during a ransomware attack in March.

Deployed on March 3, the malware encrypted data on certain systems, prompting restoration measures and an investigation to determine the scope. The subsequent forensics review found the attacker first gained access to the network four days earlier on Feb. 28, 2022.

The investigation could not conclusively rule out whether the hacker viewed or downloaded patient information. As such, the affected data could include contact information, driver’s licenses, treatments, diagnoses, health insurance information, and other medical data. The SSNs of a limited number of patients were also impacted.

FPS is currently reviewing its existing policies and procedures, while implementing additional administrative and technical safeguards.

Several providers listed on ransomware actor leak sites

First reported by DataBreaches.net, Vice Society claims to have stolen data belonging to Atlanta Perinatal Associates in Georgia and posted their alleged data on their leak site. A review of the files show patient records, such as ultrasound testing from the past few years with a wide range of sensitive patient data.

Medical imaging files, including ultrasounds, are stored and shared with Picture Archiving and Communication Systems (PACS). The highly vulnerable legacy tech is used widely in the healthcare sector, despite these flaws. A previous SC Media report showed millions of medical images are actively being exposed through U.S. PACS systems.

Meanwhile, Avos Locker recently posted alleged data proofs from Christus Health in Dallas. A review of the post shows the names of patients with positive COVID-19 test results, personnel data, and patient admissions and operating room records with highly sensitive medical information.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.