Breach, Email security, Ransomware

Ransomware attack on Yuma Regional Medical leads to data theft for 700K patients

This week’s healthcare breach roundup contains multiple email hacks and is led by the ransomware attack on Yuma Regional Medical Center that impacted 700,000 patients. Pictured: A registered nurse assigned to a military medical team deployed to Yuma, Ariz., enters a patient’s information into the hospital’s medical database at Yuma Regional M...

Yuma Regional Medical Center in Arizona recently notified 700,000 patients that their personal and health data was stolen ahead of an April ransomware attack.

A status notice on the YRMC website shows the hospital was forced into electronic health record downtime procedures, following the deployment of ransomware on April 25. YRMC leveraged previously established backup processes, which enabled patient care to continue despite the IT disruptions.

YRMC worked with law enforcement and a third-party cybersecurity team to bring the systems back online, while prioritizing patient care. The hospital facilities remained open during the cyberattack, but officials confirmed the ransomware caused delays in some patient services and the cancellation of some appointments.

YRMC has since restored its systems and bolstered its systems’ security, while continuing to improve information security protocols.

The investigation into the incident and subsequent breach notice revealed the attackers first gained access to the network four days before deploying the ransomware. During the dwell time, the threat actor removed a subset of patient files from the YRMC systems.

The stolen data included patient names, Social Security numbers, health insurance details, and medical care information. The investigation confirmed the ransomware did not impact the electronic medical record application.

Data of 198K patients of Florida provider accessed in email hack

The protected health information of 197,733 Central Florida Inpatient Medicine patients was compromised, after a monthlong hack of an employee email nearly one year ago.

As a reminder, The Health Insurance Portability and Accountability Act requires covered entities facing data breaches to report the incident within 60 days of discovery and without undue delay.

The CFIM notice does not share when the hack was first discovered, just that a single email account was hacked between Aug. 21, 2021, and Sept. 17, 2021. Upon discovery, the account was secured and an investigation was launched with support from an outside cybersecurity firm.

The investigation and manual document review confirmed the accessed email account contained a range of PHI that varied by patient, including names, dates of birth, diagnoses, treatments, provider and/or hospital names, dates of service, and health insurance information. 

For a smaller subset of patients, SSNs, driver’s licenses, financial accounts, and account credentials were also impacted. These individuals will receive complimentary credit monitoring services.

CFIM has since implemented additional technical safeguards for its email system, installed multi-factor authentication, and provided employees with further security awareness training, particularly around the risks posed by malicious emails.

Kaiser Foundation Health Plan email hack impacts 70K

Kaiser Foundation Health Plan of Washington recently began notifying 69,589 patients that their health data was compromised during the hack of an employee email account on April 5.

After discovering the unauthorized access, Kaiser Permanente terminated the access within hours after it began and reset the account password. The investigation revealed that PHI was contained in the impacted account and emails. The forensics review could not conclusively rule out unauthorized PHI access.

The compromised data could include full names, medical record numbers, dates of service, and lab test results. The impacted account did not contain any SSNs or credit card numbers.

The employee tied to the account has since received additional training on safe email practices, and Kaiser Permanente officials said they’re looking into other steps they can take to prevent a recurrence.

McCoy Vision Center added to Eye Care Leaders breach tally

Yet another healthcare covered entity has been added to the ongoing tally of providers affected by the Eye Care Leaders ransomware attack. McCoy Vision Center has notified 33,930 patients that their data was accessed during the December 2021 incident.

As previously reported, a Dec. 4, 2021, ransomware attack deployed against ECL enabled the attacker to access the myCare Integrity EHR platform and its data and delete certain databases and system configuration files. ECL was unable to rule out the possibility that some PHI and personal data was exposed during the incident.

For McCoy, the impacted data included patient names, SSNs, dates of birth, contact details, diagnostic data, and health insurance information. It’s unclear whether McCoy has since evaluated or ended its relationship with ECL.

The December incident has now impacted well over 300,000 patients from Regional Eye Associates, EvergreenHealth, Summit Eye Associates, Burman & Zuckerbrod Ophthalmology, Fishman Vision, Associated Ophthalmologists of Kansas City, Finkelstein Eye Associates, Moyes Eye Center, and AU Health.

As reported by SC Media, ECL is currently defending itself against claims it concealed multiple ransomware incidents deployed earlier in 2021.

Recovering from attack, Goodman Campbell reports data theft

Indiana-based Goodman Campbell Brain and Spine recently reported that it fell victim to a cyberattack on May 20, which disrupted operations of its network and communication systems. The Hive threat actors have since posted data proofs from Goodman Campbell on its leak site.

Upon discovery, the team secured the systems and contracted with a forensic analysis and incident response firm to investigate. Goodman Campbell is still working to restore the impacted systems and “recover data, and eradicate malicious activity from our systems.” The FBI has also been notified, and the specialist is continuing to work with their ransomware team.

The investigation is ongoing and Goodman Campbell has “not yet been able to verify the full nature and extent of personal data that may have been compromised.” The initial findings indicate that patient and employee data was accessed by the threat actor.

Once the investigation is complete, the provider will send official notifications to patients and employees with further details. All patients and staff are encouraged to monitor and review banking, financial accounts, and credit reports for any fraudulent or irregular activity.

Currently, Goodman Campbell is continuing to address the impacts of the cyberattack. Officials said they’re continuing to provide patient care, as it works to restore the systems.

MCG Health reports theft of patient, member data

MCG Health recently began notifying an undisclosed number of patients that their personal information was stolen by a threat actor, after a “data security issue.” MCG Health is a business associate that provides care guidelines to healthcare entities and health plans.

The notice is scant on details, only reporting that it “determined on Mar. 25” that a hacker obtained data, which “matched data stored on MCG’s systems.” But MCG does not describe how that data was obtained, nor whether it was tied to ransomware or a cyberattack.

Upon discovering the “issue,” MCG launched an investigation with help from a forensic investigation team and notified law enforcement. The analysis shows that the stolen data varied by individual and could include names, SSNs, medical codes, contact details, and dates of birth.

MCG is continuing to work with law enforcement and has since bolstered its monitoring tools, as it further enhances its security measures.

Acorda Therapeutics notifies patients of January email hack

An undisclosed number of patients tied to Acorda Therapeutics in Georgia were recently notified that their data was accessed during the hack of its business email environment in January. The notice shows the delay in notification was caused by a lengthy forensic review of the email contents.

Although the incident was discovered in January, the threat actor first gained access to the email system on Dec. 15 and used the dwell time to access certain company emails. Upon discovery, Acorda secured the email environment and launched an investigation. The notice omits the types of data contained in the accessed emails.

Acorda has since implemented additional safeguards, as it continues to review its existing security procedures and tools. All impacted individuals will receive credit monitoring and identity protection services.

Prothena reports monthslong employee email hack

Prothena, a late-stage clinical company, recently notified certain individuals that their data was compromised during a four-month hack of an employee email account. Upon discovery, the account was secured to prevent further access.

With assistance from an outside forensic firm, Prothena determined a threat actor accessed a single email account at various times between Dec. 20, 2021, and April 22, 2022. Evidence indicates the attacker was using the account access to attempt fraudulent wire transfers against the company, “by attempting to redirect vendor payments to new bank coordinates.”

The wire transfer attempts were unsuccessful. However, the investigation could not rule out access or exfiltration of the data contained in the account. As such, the potentially impacted data could include personal data that includes names, contact details, SSNs, or tax ID numbers. All individuals will receive two years of identity protection services.

Choice Health reports breach after patient data posted on dark web

Patients tied to Choice Health were recently notified that their data was stolen and leaked on the dark web. Choice Health was informed that a threat actor “was offering to make available data allegedly taken” from the insurance provider on May 14.

An investigation into those allegations quickly determined the attacker was able to obtain patient data from a single database, due to a misconfiguration issue caused by its third-party vendor that left the information publicly accessible from the internet. The data leak enabled the actor to readily access the database from the internet and steal certain files on May 7.

The stolen data varied by individual and could include names, SSNs, Medicare beneficiary identification numbers, dates of birth, contact details, and health insurance information. All affected individuals will receive two years of identity protection services.

Upon discovery, Choice Health worked with the vendor behind the error to properly reconfigure the security settings on the affected database, while confirming access to the database was blocked from the internet. The insurer has since enhanced its security measures to prevent a recurrence, including the implementation of multi-factor authentication on its database.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.