Threat actors exploited Horizon Actuarial Services networks, whose clients include the Major League Baseball Players Benefit Plan. Pictured: A baseball with the MLB logo is seen at Citizens Bank Park before a game between the Washington Nationals and Philadelphia Phillies on June 28, 2018, in Philadelphia. (Photo by Mitchell Leff/Getty Images)

Threat actors exploited the networks of Horizon Actuarial Services in November, stealing the data belonging to the consulting services vendors and two client groups: Major League Baseball Players Benefit Plan and Local 295 IBT Employer Group Welfare Fund.

On Nov. 12, the hacking group notified Horizon Actuarial in an email that they’d stolen copies of personal data from its servers. Horizon Actuarial contacted law enforcement and secured its network with help from third-party cybersecurity specialists.

Horizon also “negotiated with and paid the group in exchange for an agreement that they would delete and not distribute or otherwise misuse the stolen information.” Security researchers have long warned organizations that these claims should not be trusted, given the criminality of hacking and evidence showing some groups forge “proof” of deletion.

The investigation that followed confirmed the hackers gained access to Horizon’s computer servers for two days between Nov. 10 and 11, 2021. In that time, they were able to steal health information belonging to plan participants and their family members.

The stolen data included names, dates of birth, Social Security numbers, and health plan information. Horizon Actuarial reported the breach to the Department of Health and Human Service as impacting 38,418 patients, while the MLB plan filed notice for 13,156 individuals and Local 295 filed for 6,123 patients.

The impacted plans were notified of the exfiltration incident on Jan. 13, and Horizon waited until March to send its own notifications, far outside the 60-day requirement outlined in the Health Insurance Portability and Accountability Act.

New Jersey Spine ransomware attack impacts 92K patients

New Jersey Brain and Spine recently notified 92,453 patients that their data was likely accessed during a ransomware attack deployed in November. The investigation is ongoing, which may result in a subsequent notice to impacted individuals.

NJBS discovered its networks and certain systems were encrypted by a cyberattack on Nov. 16, 2021. Once the systems were secured, the security team worked to restore the impacted systems and operations.

While NJBS is still working through the “data mining” process, the investigation has so far concluded the attacker possibly accessed patient data amid the attack. The compromised data could include names, SSNs, contact details, financial account details, debit or credit card information, driver’s licenses, and medical information.

“Since the incident, NJBS has migrated to a third-party hosted cloud-based platform to securely store patient data, implemented two-factor authentication, installed a new server, and implemented ongoing monitoring response which tracks user activity, services and ports and coordinates logging, according to the notification.

The notice does not explain why patients were informed outside of the 60-day HIPAA requirement.

Clinic of North Texas cyberattack leads to data access, possible theft

The data belonging to 76,302 patients was potentially accessed or stolen during a cyberattack deployed against Clinic of North Texas LLP in November 2021. CNT is a health network made up of over 36 provider offices based in Wichita Falls, Texas.

The cyberattack was first detected on Nov. 9, 2021, prompting the launch of a forensics investigation with support from a third-party cybersecurity firm. On Jan. 24, investigators determined the attackers may have accessed or acquired protected health information.

Notably, it appears the impact was contained to a folder stored within the impacted systems, signaling the use of encryption or proper segmentation. As such, the impacted data was limited to patient names, addresses, dates of birth, and certain health data. CNT stressed that the hacked folder did not contain SSNs, driver’s licenses, IDs, or any finance-related data.

CNT has since reset all administrator passwords, implemented two-factor authentication, and deployed end point detection and response and threat hunting tools to prevent a recurrence.

Wheeling Health ransomware attack leads to patient data access

A ransomware attack deployed against Wheeling Health in January, led to the possible access of patient health information. Currently, there have been no reports of data leaks or attempted misuse.

After securing the systems, Wheeling Health engaged with an outside data breach remediation firm to investigate and “decrypt, recover, and rebuild our systems.” The team also reset all end user passwords.

The investigation into the scope of the incident confirmed the hacker may have accessed certain patient information during the attack, including names, contact details, SSNs, driver’s licenses, medical record numbers, tax and income information, and health information on “patients who applied for or received services from Wheeling Health Right.”

Wheeling Health has since implemented MFA for employee email accounts and installed endpoint detection and response tools, in tandem with other security measures. The provider is currently working to implement further safeguards, while reviewing its privacy and security policies and procedures and bolstering employee cybersecurity training.

In brief

Several recent healthcare security incidents were reported to the Texas and Massachusetts attorneys general. Due to state reporting requirements, the notices provide scant detail outside of the number of affected patients.

  • A hacking incident reported by Dialyze Direct to HHS compromised the health data of 14,203 patients. The Texas AG notice shows patient names, contact details, SSNs, driver’s licenses, government IDs, financial details, medical data, and health insurance information were compromised during the incident.

The Massachusetts notice shows the breach was caused by a phishing attack that led to the hack of an employee email account. There are no details about when it was first discovered. But the review showed the hack lasted more than a month, beginning in Jan. 2021.

  • Texas-based AlixaRX informed the Texas AG of a “data security breach” that impacted the names, addresses, SSNs, health data, and health insurance information of an undisclosed number of patients. No further details are available, as AlixaRX has not publicly listed a notice on its website.

More information has surfaced about the JDC Healthcare Management data theft incident, first reported earlier this month. The filing with the Texas AG reveals the theft — which stemmed from a malware attack — impacted more than 1.03 million Texans. As it stands, it’s the second largest healthcare data breach reported in 2022 so far.