A number of health care data breaches impacted patient information in the last week, serving as a reminder to continue reviewing all endpoints and access controls. (Credit: "Hospital Corpsman 3rd Class Ryan Albin charts patient information" by NavyMedicine is marked with CC PDM 1.0)

The latest data breaches reported by the health care sector are primarily led by email-related incidents and ransomware, and two of which are among the largest reported this year. The incidents should serve as a reminder of the continued targeting of providers by cybercriminals, despite ongoing challenges faced by the sector amid COVID-19.

Orlando Family Physicians (OFP) recently notified 447,426 patients that their data was potentially compromised during a successful phishing attack in April. The breach tally makes the OFP incident among the 10 largest reported in health care this year.

On April 15, an attacker gained access to an employee email account after first obtaining their credentials through a phishing email scheme. Upon discovery, the security team worked to contain the incident and launched an investigation with assistance from a third-party cybersecurity forensics firm.

The investigators found three additional employee emails were also accessed by the hacker and quickly terminated access to the affected accounts. By May 21, Orlando Physicians determined the attacker likely accessed the personal information contained in the accounts, though it appears the attack was designed to commit financial fraud against OFP.

The four impacted email accounts contained a range of personal and health data that varied by patient and could include names, demographic details, diagnoses, provider names, prescriptions, legacy Medicare beneficiary numbers derived from Social Security numbers, subscriber information, medical record numbers, patient account numbers, and passports.

OFP has since bolstered its data security measures to prevent a recurrence, in addition to retraining its workforce on email security basics.

UCSD Health reports four-month phishing-related patient data breach 

About 495,949 patients of the University of California San Diego Health were recently notified that their data was compromised after a fourth-month long hack of several employee email accounts between Dec. 2, 2020, and April 8, 2021.

The notice does not detail when the incident was first discovered, just that there was unauthorized access to multiple employee accounts. Upon discovery, the security team terminated access and launched an investigation alongside the FBI and a third-party cybersecurity firm.

Investigators are continuing to analyze the data contained in the accounts. For now, they’ve confirmed the accounts held data from a subset of patients, students, and employees. UCSD Health estimates that the review of the accounts will conclude in September.

The possible data accessed or acquired during the incident could include names, contact information, dates of birth, claims data, lab results, diagnoses, conditions, medical record numbers, medical identifiers, prescriptions, treatments, medical information, SSNs, government IDs, payment card numbers, financial accounts and security codes, student IDs, and access credentials.

Once the investigators conclude the investigation, officials said they’ll contact all impacted individuals and provide a year of free credit monitoring and identity theft protection services. UCSD Health has since changed employee credentials, disabled access points, and enhanced security processes and procedures.

Express MRI email hack in 2020 leads to possible patient data compromise

The hack of an Express MRI employee email account potentially led to the compromise of some patient data. Discovered on July 10, 2020, an unauthorized actor sent malicious emails from an employee email account.

At first, the investigation did not find evidence patient data was accessed during the incident; hence the delayed breach notice. But a secondary review completed on June 10, 2021, found that an attacker accessed, read, or exfiltrated some files containing patient information during the initial email hack.

The compromised files contained patient names, contact information, dates of birth, referring providers, the body part scanned by Express MRI, workers’ compensation claims, and motor vehicle accident investigations. No SSNs, financial data, or patient scans were compromised.

Cayuga Medical Center added to Accellion breach tally

The data of some Cayuga Medical Center patients was included in the Accellion breach tally, reconfirming the third-party vendor incident is the biggest health care-related incident so far this year. The New York-based provider began notifying patients of the compromise earlier in July.

Threat actors gained access to Accellion’s network and a host of connected clients in December, by exploiting a number of known vulnerabilities in the vendor’s File Transfer Appliance (FTA).

The access enabled Clop ransomware actors to deploy a malicious web shell and steal troves of sensitive data from a number of clients. The group began to directly extort Accellion clients in January, threatening to leak the exfiltrated information. The ongoing tally includes at least 100 impacted companies, affecting more than 3.51 million patients.

For Cayuga Medical, the impacted data was tied to its vendor, Guidehouse, which was compromised by the Accellion incident. The data could include patient names, dates of birth, some medical information, and insurance account numbers. Affected patients will receive free credit monitoring services.

The ongoing investigation shows only a fraction of Cayuga Medical’s patients were impacted. The incident is not yet listed on the Department of Health and Human Services’ breach reporting tool, so the exact total is unknown for now.

Third-party vendor incident leads to theft of patient data

Earlier last week, Renaissance Life & Health Insurance Company of America began notifying an undisclosed number of patients that their data was stolen after a hacking incident at one of its vendors, Secure Administrative Solutions (SAS).

In June, SAS notified Renaissance that certain policyholders’ protected health information was exfiltrated from its network. Access to the SAS network lasted for a month between March 15 and April 15, 2021.

An investigation into the scope of the incident found the stolen information could include a combination of patient information, such as names, contact details, birthdates, health insurance policy numbers, and other health insurance data, like policy types, premium amounts, and insurance dates. No SSNs or financial data were impacted.

The exfiltrated data was purportedly destroyed by the threat actors after a ransom payment. But as Coveware and other security researchers have noted, victims should not rely on supposed evidence provided by hackers.

Renaissance worked closely with SAS to ensure the data was secured. SAS has since rebuilt the impacted servers and implemented additional controls, including building new domain controllers, resetting all passwords, requiring further password complexity and stronger controls over password use, migrating all users to Microsoft Office 365, and implementing MFA.

SAS also deployed new PCs to all users and provided additional training on new security protocols.

Francisco J. Pabalan, M.D., reports ransomware incident impacting 50K patients

Francisco J. Pabalan, M.D., doing business as Pabalan Eye Center, recently notified 50,000 patients that their data was potentially compromised after a ransomware attack launched between May 1 and May 3.

The ransomware locked down the California provider’s servers and demanded a ransom to decrypt the data. But officials confirmed they did not pay the ransom, as they had reliable backup processes in place that enabled the team to erase all impacted servers and computers and implement technical controls to terminate outside access to the network.

After installing updated antivirus software, Pabalan Eye Center restored its network from clean backup data. The team has also reformatted all servers and computers, installed updated operating systems, adopted new data encryption technology, reset all passwords, and implemented new technical safeguards, such as a secure Virtual Private Network (VPN).

The impacted systems contained scanned insurance forms, exam findings, medical imaging, diagnostic testing, and scanned past medical records. While it appears the attackers were driven by the anticipation of a ransomware payout and not to access patient data, Pabalan Eye is notifying all patients due to the risk posed to their information.

Allegheny Intermediate Unit ransomware attack impacts beneficiary data

A ransomware attack on Allegheny Intermediate Unit led to the access of certain files stored on its servers, including employee beneficiary and dependent information. AIU is a branch of the Pennsylvania Department of Education, which serves as a liaison between school districts and the PDE.

An investigation led by an outside cybersecurity firm found that prior to the deployment of ransomware, the threat actors accessed some AIU data belonging to current and former employees who participated in AIU health or other benefit plans and sole-proprietor vendors.

The compromised data included names, contact details, dates of birth, SSNs, and tax identification numbers of sole-proprietor vendors.

Since the incident, AIU has implemented multi-factor authentication, advanced endpoint threat detection, additional monitoring and rapid-response tools, and increased use of cloud-based applications.