This week's healthcare data breach roundup is led by an update on the cyberattack against East Tennessee Children's Hospital. The latest shows hackers likely accessed patient data during the incident. (Photo credit: "Emergency room" by KOMUnews is marked with CC BY 2.0.)

Several weeks after a cyberattack spurred network disruptions at East Tennessee Children's Hospital, ETCH is notifying an undisclosed number of patients and parents that the threat actors stole sensitive health information during the incident.

As previously reported, an “IT security issue” at ETCH caused several weeks of disruptions to key care services at its downtown location beginning on March 13. Email and X-ray services were taken offline during the attack while patients were told to call before attending scheduled appointments as some would need to be rescheduled.

The hospital’s cyber forensics team worked closely with outside agencies to minimize disruptions, which enabled all hospital locations and services to remain online during the incident. ETCH’s social media posts show many of the impacted systems were restored two weeks ago, but restoration continues.

The breach notice confirms the investigation is ongoing. But they’ve since determined that “certain documents stored within ETCH’s environment may have been copied from or viewed on the system as part of the cyber incident between March 11 and March 14.”

ETCH has determined the compromised systems contained patient names, Social Security numbers, driver’s licenses, state IDs, or non-resident IDs, dates of birth, other demographic details, medical data, health insurance information, financial details, and other sensitive information.

The team is still working to determine the scope of the exfiltration and to identify who was impacted. ETCH has since enhanced the security of its systems.

ETCH was among the handful of providers to be brought offline by attackers this year. The list includes Kentucky’s Taylor Regional Hospital, which is still facing disruptions to its oncology and lab departments more than two months after a cybersecurity incident. Despite its ongoing restoration and investigation, TRH also promptly informed patients of possible data access.

Currently, Oklahoma City Indian Clinic continues to face disruptions to its network and pharmacy departments after a cyberattack launched more than a week ago. Its latest post informs patients that: “the automatic refill line and mail order services will be down for an indeterminate amount of time. If you need refills, please call the pharmacy.”

Ransomware on Michigan cancer center leads to data access

The data of 43,071 patients and employees was accessed during a ransomware attack on Cancer and Hematology Centers of Western Michigan in December. Sent on March 18, the notice does not explain the delay in notifying patients. The Health Insurance Portability and Accountability Act requires providers to give notice within 60 days.

An outside forensic firm supported the specialist with restoring the impacted systems and ensuring the security of the data, as well as an investigation into the scope of the attack. The investigation did not find evidence that the threat actors have current access to the data in its system, nor did it show risk of compromise to other systems.

However, they found a portion of the database was impacted and likely enabled the attacker to access the full names of patients, combined with sensitive identifiers and portions of patient health records. For the impacted employees, SSNs or bank information was possibly accessed.

Cancer and Hematology Centers of Western Michigan has since bolstered its data security procedures, including the decommission of several servers, providing additional employee training, reviewing policies, and contracting with a security monitoring vendor.

Billing administrator reports hack, theft impacting provider clients

More than seven months after the incident, Advanced Medical Practice Management notified 56,427 patients on behalf of several healthcare provider clients that their data was stolen by a threat actor during a systems hack. AMPM is a third-party medical billing administrator.

On Aug. 5, AMPM discovered suspicious activity within its environment and quickly moved to secure the network. A forensic review of the incident determined a hacker acquired “certain files” from the network during the course of the hack, between July 11, 2021, and July 13, 2021.

The investigation found the stolen data include patient names, SSNs, financial account information, driver’s licenses and/or state IDs, credit and debit cards, dates of birth, passport numbers, electronic signatures, medical record numbers, prescriptions, Medicare or Medicaid numbers, treatment locations, diagnoses, insurance details, and other sensitive information. 

As noted, HIPAA requires all covered entities and relevant business associates to inform patients of data breaches impacting more than 500 individuals within 60 days of discovery, not at the close of an investigation.

It appears the complexity of the review of the incident was behind the delay: AMPM launched a “comprehensive review” to determine who was impacted and to whom the data belonged.

“Upon completion of this review, AMPM then worked diligently to reconcile this information with its internal records to confirm the individuals whose information may have been affected and the appropriate contact information for those individuals,” according to the notice. The review ended on Jan. 27.

AMPM reported the incident to federal law enforcement and is currently reviewing and improving its existing data protection and security policies and procedures. The vendor has also implemented additional security measures and retrained employees on security.

CMAC phishing incident leads to data access for 54K patients

Charleston Area Medical Center (CAMC) recently notified 54,000 patients that their personal and protected health information was accessed during a phishing attack in January. CAMC recently merged with Mon Health, which reported an unrelated phishing incident in December.

The “email phishing scam” occurred on Jan. 10 and Jan. 11, which enabled the attacker to take over a number of employee accounts. The attack was discovered on the same day, prompting CAMC to terminate the access and secure the impacted accounts.

The extensive forensic review showed it’s likely the attacker was focused on collecting login information for the employee accounts. However, the notice does state patient information was possibly accessed during the dwell time.

The compromised accounts contained a range of information that varied by patient, including names, medical record numbers, discharge dates, test results, diagnostics, treatments, and other sensitive data. For fewer than 0.001% of the affected patients, the data included SSNs and/or financial account numbers, but no PINs or security access codes.

CAMC has since bolstered its technical security measures and intends to conduct additional employee security training to address measures involved in the incident.