Ransomware actors are having a productive week with several ongoing outages in the health care sector, including Memorial Health System and Eskenazi Health. What’s worse, the pervasive threat is continuing to disrupt the health sector, as it continues to battle another COVID-19 wave.
In just the last week, a number of ransomware-related security incidents have led to electronic health record downtime procedures, care disruptions, data leaks, and two of the largest health care data breaches reported this year.
The incidents should serve as a reminder to providers to prioritize defensive measures and system reviews to prevent joining the growing list of victims.
“[Ransomware] attacks on the health care sector show absolutely no signs of slowing, but why would they? They’re very profitable and the perpetrators have a near-zero chance of being prosecuted,” Emsisoft Threat Analyst Brett Callow tells SC Media.
“The reality is that until one or both of those factors change, health care providers will continue to be hit with an ongoing barrage of financially motivated cyberattacks,” he added.
So far this year, data show there have been 38 attacks on health care providers and health systems that have led to care disruptions at up to 963 locations, Callow explained. The rate is significantly higher than last year, which saw 80 separate incidents and care disruptions at just 560 sites.
Memorial Health System
Ohio-based Memorial Health System announced they’ve reached “a negotiated solution” to restore operations, after a cyberattack on Aug. 15 spurred a number of care disruptions. MHS President and CEO Scott Cantley said they’ve “completed an agreement” and received keys to unlock servers and begin recovery.
MHS has been operating under electronic health record downtime procedures since the attack was launched early Sunday morning.
The latest update shows MHS is beginning the restoration process to quickly and effectively return operations using a “deliberate, systematic approach to bring systems back online securely and in a manner that prioritizes our ability to provide patient care.”
Cantley estimates that operations could return as early as Sunday, but did not shed light on what or with whom they negotiated to expedite the restoration process. The health system brought on an outside security team to support the response.
"Patient care has continued to be our top priority," Cantley said in a statement. "Although many of our systems have been down, we have robust processes in place to maintain safe and effective patient care.”
The health system has been leveraging its disaster recovery and response policies and plans to maintain patient care. Clinicians are caring for patients using pen and paper processes. But local reports show the attack is causing further care disruption at 64 MHS clinics across West Virginia and Ohio.
In the days following the attack, MHS was forced to divert emergency care and cancel urgent surgeries across its three hospitals. The main hospital, Marietta Memorial, has continued to accept stroke, trauma, and stemi patients.
The remaining two locations launched care diversion as radiology systems are unavailable — and at least one hospital accepting diverted patients is an hour away. The diversion processes were enacted as it was “in the best interest of all other patients to be taken to the nearest accepting facility.”
All radiology appointments were canceled the Monday after the incident, as well, due to IT system failures.
So far, the investigation has not found any evidence that patient or employee data has been disclosed or publicly leaked. However, a BleepingComputer report showed Hive ransomware actors are taking credit for the attack, quietly leaking data tied to about 200,000 patients. The data theft has not yet been confirmed.
For now, MHS is continuing to focus on remediation efforts and implementing tech to support “intensive security systems.
"It is unfortunate that many health care organizations are confronting the impacts of an evolving cyber threat landscape," added Cantley. "We continue to implement enhancements to our information security, systems, and monitoring capabilities."
Attack on Eskenazi Health System impacts local health department
Eskenazi Health in Indianapolis is reportedly still working to restore all system functions after an attack struck Aug. 4. The latest report shows the Marion County Public Health Department was also impacted during the security incident.
A joint statement confirms the impact to MCPHD, and the officials’ decision to proactively shut down the network once the attack was detected on Aug. 4 “to maintain the safety and integrity of our data.” Eskenazi Health has brought its EHR back online, as of Aug. 8, and its website is also back online.
As of Aug. 18, several services remain offline at Eskenazi Health and MCPHD, with individuals reporting issues in obtaining death and birth certificates. Both entities are continuing the “intensive progress” of analyzing the remaining systems to safely bring them back online.
Notably, screenshots shared with SC Media show the Vice Society hacking group claims to have stolen data tied to Eskenazi Health Foundation and likely stems from the health system cyberattack.
Health care ransomware attacks frequently impact data
This week, the Department of Health and Human Services breach reporting tool shows three ransomware attacks led to massive breaches: University of Florida Central Health, University Medical Center of Southern Nevada, and St. Joseph's/Candler Health System.
- UF Central Health Florida: 700,981 patients
On May 31, a cyberattack on two UF Health care sites drove clinicians into EHR downtime procedures as the security team investigated the incident. The IT team detected unusual activity on the computer systems shut down system to reduce the impact to the network, including access between the care sites.
The network outages lasted for more than a week. A new breach notice shows access first began on May 29, and during that time, the attackers could have accessed data tied to 700,981 patients, such as Social Security numbers, health insurance information, contact details, treatment data, and other sensitive data. The EHR was not affected.
- University Medical Center of Southern Nevada: 1.3 million patients
In early July, REvil ransomware threat actors leaked data they claim to have stolen from the University Medical Center of Southern Nevada. The health system confirmed the breach earlier this week, which stemmed from a June 14 hack of its network servers and was contained within 24 hours.
The HHS tool has since been updated to show 1.3 million patients were affected by the incident that compromised a range of sensitive data, including SSNs, clinical data, diagnoses, demographic details, financial information, and other patient-related data. The incident is among the 10 largest breaches reported in health care in 2021.
- St. Joseph's/Candler Health System: 1.4 million patients
Hackers first breached the network of St. Joseph's/Candler Health System in December 2020. Access continued for six months before the ransomware was deployed on June 17, 2021, which forced the Georgia health system to deploy EHR downtime procedures.
As reported earlier this week, the investigation could not rule out access to patient data. HHS shows 1.4 million patients are being notified that their data was compromised and is one of the biggest reported in health care this year.
DHS CISA updates ransomware guidance
In light of these continued ransomware incidents and the impact to patient care, all entities should review ransomware guidance provided by the Department of Homeland Security Cybersecurity and Infrastructure Security Agency and updated on Aug. 18.
The “Protecting Sensitive and Personal Information from Ransomware-Cause Data Breaches” factsheet addresses the rise in data exfiltration and extortion efforts, aimed at obtaining a ransom demand. CISA reminds entities that these incidents cause financial loss to the organization, while eroding customer trust.
Organizations are urged to “adopt a heightened state of awareness and implement the recommendations” to reduce the risk ransomware poses to the enterprise and better protect sensitive information.
The guidance includes both prevention and response recommendations to attacks aimed at breaching data. The preventive steps include maintaining offline encrypted data backups, implementing and training a cyber incident response plan, and mitigating internet-facing vulnerabilities and misconfigurations, among a host of other prevention steps.
CISA also provides step-by-step instructions for responding to detected ransomware and a long list of free resources that can help organizations bolster their security posture. As a reminder, a number of security leaders are providing the health care sector with ransomware assistance during the pandemic, including Emsisoft and the Center for Internet Security.