Breach, Ransomware, Incident Response

Ransomware caused American Dental Association outage, led to stolen data

A dental patient receives a flossing.
An April cyberattack on the American Dental Association was caused by ransomware, the ADA has disclosed to state regulators. Pictured: A soldier flosses a patient during Innovative Readiness Training Puerto Rico. (Sgt. Andy O. Martinez/Marine Corps)

The American Dental Association recently began notifying state regulators that the “cybersecurity incident” it reported in April was actually a ransomware attack, which led to the theft of member data.

On April 23, ADA first reported to its members that a cybersecurity incident was causing technical issues and other disruptions for some of its clients, including the Texas and New York Dental Associations. In response, ADA shut down and isolated all of its systems, which affected the member-only access to the ADA and Texas Dental Association websites.

TDA later confirmed the incident was definitely caused by a cyberattack deployed on April 21 and the groups were cooperating with federal authorities on a “vigorous investigation.” ADA later followed-up by stating it was also working with third-party cybersecurity specialists.

At the time, ADA responded to rumors that data was stolen ahead of the hack by the Black Basta group by stressing that “a data breach has not occurred.”

However, its recent notice confirms that data theft indeed occurred and includes additional details about the attack. The “sophisticated” ransomware attack disrupted only certain systems. On April 27, the investigation confirmed “certain information on ADA’s systems was accessed and/or acquired by an unauthorized actor.”

The investigation into the extent of the breach did not conclude until June 10. The notice does not share the precise data impacted, just that it was personal information tied to member names. Impacted members will receive complimentary credit monitoring and identity protection services.

ADA has since assessed its systems security and reset relevant account passwords, while it works to review and bolster its existing policies and procedures.

Patients of two more providers added to Eye Care Leaders breach

The impact of the Eye Care Leaders data theft has now reached 3.03 million patients. Arkansas Retina recently reported 57,394 of its patients were affected by the December incident, and Sight Partners Physicians in Washington notified 86,101 patients.

The ECL incident remains the largest healthcare data breach reported so far this year, impacting more than 35 eye care providers.

The latest notices resemble the previously released notifications, including that the impacted providers weren’t notified of the December incident until April 15. Under The Health Insurance Portability and Accountability Act, business associates are required to inform covered entities of protected health information compromises within 60 days and without undue delay.

The cyberattack began “on or about” Dec. 4, 2021, on some ECL databases where patient records were maintained. The subsequent investigation could not rule out whether the data was accessed or stolen by the attacker.

The impacted providers ran reports on the practice management systems to identify the affected patient data, which included names, contact details, medical record numbers, treatments, diagnoses, prescriptions, and provider names, among other medical information.

In response to the incident, Sight Partners ended its use of the ECL platforms, a response mirrored by about half of the impacted providers. All affected patients will receive free credit monitoring.

As extensively reported, ECL is currently defending itself against a lawsuit filed by three providers that claim the vendor concealed multiple ransomware attacks and long periods of unscheduled downtime.

Kaiser Permanente device theft leads to data breach for 75K patients

An individual broke into a locked storage area at the Kaiser Permanente Los Angeles Medical Center on May 20 and stole an iPad, as well as the password needed to access the device. As a result, 75,010 Kaiser Foundation Health Plan Southern California patients are being notified that their data could be compromised.

The stolen device was used at a COVID-19 testing site by employees and contained photos of COVID-19 lab specimen labels, which included patient names, dates of birth, medical record numbers, and the date and location of service. The iPad did not contain any photos of patients, lab results, Social Security numbers, or credit card numbers.

The investigation didn’t find specific evidence the information was accessed or viewed by the thief, but are informing all patients whose data was stored on the stolen device. And Kaiser remotely erased all of the data from the stolen iPad including the photos.

Kaiser has since relocated all its devices to a more secure location and strengthened its internal practices and procedures.

29K Benson Health patients informed of May 2021 cyberattack

Benson Health was hit by a cyberattack against its network on May 5, 2021, which led to the access of patient data for 28,913 patients. The North Carolina provider began issuing breach notices to patients beginning July 15, 2022, more than a year after the initial attack began.

Upon discovering the incident, Benson Health launched an investigation with support from an outside third-party forensic specialist and a data mining firm to “perform an extensive and comprehensive review of the data set and identify individuals whose personal information was in that data set.”

The investigation concluded June 7, 2022, which could explain the gap. But HIPAA is clear that notices must be sent to patients without undue delay and within 60 days after the breach was discovered — not at the close of an investigation.

The forensics determined the accessed data included patient names, dates of birth, SSNs, and health or treatment information. All impacted patients will receive free credit monitoring services.

ATC Healthcare reports theft of data from December cyberattack

In yet another apparent delayed notice, ATC Healthcare Services recently notified an undisclosed number of patients that their data was likely accessed or acquired during a December 2021 cyberattack. Notices were not sent until July 1, more than six months later.

ATC first learned of the “criminal cyberattack” on Dec. 22, 2021, and promptly worked to secure its systems. The notification shows the attack impacted “email accounts.” The subsequent investigation could not conclusively rule out access or theft of patient data. ATC has since enhanced its systems security.

The compromised information varied by patient and could include names, SSNs, driver's licenses, dates of birth, government-issued identification numbers, medical data, insurance information, employer-assigned identification number, and user credentials.

Associated Eye Care informs patients of 2020 Netgain incident

Earlier this month, Associated Eye Care in Minnesota began notifying 40,793 patients that their data was compromised as far back as September 2020, after the hack of its cloud IT hosting, service, and solutions provider Netgain.

The Netgain incident was one of the biggest healthcare data breaches reported in 2021, involving the theft of patient data that later returned to the vendor with “assurances that the data was deleted and destroyed.” At the time, the breach tally reached more than 865,000 individuals from multiple provider organizations.

Entities first began notifying patients during the first half of 2021 of several Netgain security incidents that compromised patient data. In September last year, a hacker used stolen credentials to access the Netgain system and proliferated to a range of client environments that were connected to its system.

During the dwell time, the attacker was able to steal a significant amount of patient information. The initial hack went undetected for several months before the attackers deployed ransomware onto the environment on Dec. 3, 2020, which was discovered soon after by Netgain.

The investigation revealed the initial hacking and exfiltration of client and related patient data, which could include patient names, SSNs, dates of birth, contact details, driver’s licenses, and claims data that could reveal diagnoses and medical conditions. At the time, the hackers did demand a ransom payment from Netgain, which the vendor paid to regain patient data.

The Associated Eye Care attributes the lengthy gap in reporting to “an extensive data mining project to identify all impacted individuals,” completed on May 16, 2022.

AEC is currently reviewing and updating its server and systems security policies and procedures, in addition to its information life cycle management services. The incident led AEC to replace Netgain as its vendor and migrate the data and environment to another service provider.

Southwest Health notifies 46K patients 6 months after data theft

Earlier this month, Southwest Health Center in Wisconsin began notifying 46,142 patients that their data was possibly accessed and stolen during a “data security incident discovered on Jan. 11, 2022.

Upon discovering the incident, the provider worked to secure the network and launched an investigation, which confirmed the possible exfiltration. Southwest Health then began “a comprehensive review of the data,” which concluded on May 27. Its unclear why the provider further delayed the notifications.

The review found both personal and protected health information was likely stolen, which included names, SSNs, dates of birth, driver’s licenses, state identification card numbers, financial account numbers, medical data, and/or health insurance information.

Southwest Health notified the FBI after the attack, which later informed the provider that the data servers involved in the incident were identified and confiscated. All affected patients will receive identity protection services for one to two years.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.