Ransomware, Breach, Incident Response

Ransomware attack on Quest’s ReproSource impacts data of 350K patients

ReproSource Fertility Diagnostics, a subsidiary of Quest Diagnostics, notified about 350,000 patients that their data was potentially accessed or acquired in a ransomware attack. (Quest Diagnostics)

Approximately 350,000 patients were recently notified that their data was potentially accessed or acquired during a ransomware attack on ReproSource Fertility Diagnostics, a clinical laboratory for fertility specialists and a subsidiary of Quest Diagnostics.

A threat actor first gained access to the ReproSource network on Aug. 8, which was discovered two days later when the ransomware was deployed. Upon discovery, the security team severed all network connections and contained the incident within several hours.

A third-party cybersecurity firm was brought on to investigate and confirm the ransomware was contained, in addition to securely recovering operations. The ReproSource notification shows the investigation could not confirm if any protected health information was acquired.

However, a Quest filing with the Securities and Exchange Commission explains the attacker could have accessed or acquired PHI prior to deploying the ransomware payload. ReproSource is notifying all patients whose data was found on the impacted systems.

The investigation is ongoing, but officials have determined the impacted data varied by patient and could include names, contacts, dates of birth, CPT and diagnosis codes, test requisitions and results, test reports, medical histories, health insurance plan identification names or numbers, other data provided to the physician, and further information tied to billing and health.

ReproSource may provide an additional notice if further evidence of data compromise emerges during the investigation. The provider has since enhanced its cybersecurity measures with additional monitoring and detection tools.

“Quest Diagnostics maintains cybersecurity insurance and does not believe this incident will have a material impact on its business, results of operations or financial condition,” according to the SEC filing.

5 months after systems’ hack, OSF HealthCare notifies 54K patients

OSF HealthCare recently issued a breach notice to 53,907 patients, following an undetected systems’ hack more than five months ago. Concernedly, the Health Insurance Portability and Accountability Act requires all covered entities to report PHI breaches impacting more than 500 patients within 60 days of discovery.

Further, it’s the third security incident involving the Illinois provider in a little more than a year. OSF Health was included in the massive Blackbaud ransomware attack and breach in 2020, which affected more than two dozen providers and millions of patients. 

And in April 2021, a DataBreaches.net report revealed a trove of patient data tied to multiple providers was captured and then leaked on the data repository GitHub Artic Code Vault by third-party vendor MedData. OSF Health was among the impacted providers and issued its own notice to patients.

The latest breach notice is tied to the hack of OSF HealthCare Little Company of Mary Medical Center and its Saint Paul Medical Center. First identified by OSF Health on April 23, the “security incident” disrupted operations of some IT systems. The team took steps to secure the systems, launched an investigation, and notified law enforcement.

The investigation found an attacker first gained access to the network on March 7, nearly two months before the unauthorized access was discovered. Further, certain patient files were accessed during the hack. The investigation concluded on Aug. 24.

The compromised data included patient names, contact details, Social Security numbers, driver’s licenses, government identification, treatments, diagnoses, codes, provider names, dates of service, hospital units, prescriptions, medical records, and health insurance information. For some patients, financial account and credit or debit information was included.

Patients whose SSNs were impacted by the incident will receive free credit monitoring and identity protection services.

McAllen Surgical Specialty Center security incident

Texas-based McAllen Surgical Specialty Center recently began notifying 29,277 patients that their data was potentially compromised during a systems hack more than four months ago.

On May 14, McAllen Surgical discovered the files of one of its servers were encrypted and launched an investigation. They found an attacker gained access to the network two days before the incident. The investigation could not determine whether any servers containing patient data were accessed during the hack. 

The patient information varies by individual but may include names, contact details, SSNs, health insurance information, dates of service, provider names, medical record numbers, and patient numbers. The notice explains it’s possible the data was taken by the actor.

McAllen is currently reviewing and enhancing its existing policies and procedures.

Malware attack on JDC Healthcare Management

A “malware incident” on certain JDC Healthcare Management systems resulted in certain documents being copied or accessed from the system by a threat actor. The Texas-based dental and orthodontic provider is still investigating the incident to determine just how many patients were impacted.

The malware was first discovered on Aug. 9, but the attacker had access to the network for nearly three weeks between July 27 and Aug. 16. The notice explains that the malware impacted the functionality of the environment.

JDC is currently performing a detailed review of the affected data to determine the type of information involved. But the impacted systems contain clinical, demographic, health insurance, and financial information. The provider is working to assess and enhance its policies to prevent a recurrence.

Oregon Eye Specialist reports monthslong email hack

An undisclosed number of Oregon Eye Specialists patients are being notified that their personal and protected health information was compromised during a monthslong email hack between June 29 and Aug.31.

The provider first discovered suspicious activity in a number of employee email accounts on Aug. 10. A subsequent review found the accounts held certain patient data, such as names, dates of birth, medical record numbers, financial account details, and or health insurance provider names and policy numbers.

Impacted patients will receive credit monitoring and identity protection services. Oregon Eye Specialists has since reset all email passwords and enhanced its security policies and controls.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.