Ransomware, Incident Response, Breach

Patient data stolen ahead of Memorial Health ransomware attack, EHR downtime

Network outages and service disruptions have become a prevalent fallout from cyberattacks in healthcare. After the Kronos incident, providers must evaluate how to maintain business continuity. (Photo by Cate Gillon/Getty Images)

Memorial Health System in Ohio has confirmed that threat actors accessed or acquired health information tied to about 216,000 patients prior to deploying a ransomware attack in August.

On Aug. 14, the ransomware attack was first discovered by the security team, which appeared as malware on certain servers within the MHS environment. As reported at the time, the network outage led to care diversion for emergency patients and the cancelation of urgent care surgeries and radiology exams.

The care disruptions last for more than a week, as MHS “negotiated a solution” to restore operations that resulted in the receipt of keys to unlock the servers and support system recovery through a “deliberate, systematic approach to bring systems back online securely and in a manner that prioritizes our ability to provide patient care.”

While alluded to, MHS did not share whether they paid the ransom demand.

The breach notice sheds further light on the incident, including details into the initial hack that began on July 10, more than a month before the ransomware was deployed. On Sept. 17, the investigation revealed the hackers accessed or acquired the contents of the affected systems.

It appears the forensic analysis into finding the best contact information was behind the delayed breach notice. Under The Health Insurance Portability and Accountability Act, breaches to protected health information impacting 500 or more patients must be disclosed within 60 days of discovery, not at the close of an investigation.

A review conducted of the relevant systems found the potentially accessed and stolen data varied by individual and could include names, Social Security numbers, dates of birth, medical record numbers, patient account numbers, treatment information, and other medical data.

Oddly, despite the potential data theft, the notice asserts “we have no reason to believe that any identity theft or unauthorized use of the affected information occurred.”

MHS has since added further technical safeguards to improve the security of the data in its possession, while improving the security of its environment.

TTEC Healthcare Solutions reports ransomware attack impacted patient data

HIPAA business associate TTEC Healthcare Solutions confirmed to the Department of Health and Human Services on Jan. 7 that a previously disclosed ransomware attack in September compromised the health information of 86,305 patients.

TTEC is a customer support and online sales management vendor for a number of industries. On Sept. 12, a cyber incident was discovered on a number of systems, prompting the security team to isolate the affected systems and launch remediation and recovery efforts. An investigation was also launched, as well as remedial efforts to contain the attack.

The attack led to a number of disruptions for a number of customers over the course of five days. At the time, Ken Tuchman, TTEC chairman and CEO explained, "Our team moved aggressively to rebuild and further solidify our processes and infrastructure. TTEC continues to prioritize our client and people-facing processes and systems.”

The breach is listed on the HHS breach reporting tool, but there’s no public notice on its website. A disclosure to one impacted client sheds further light onto the incident, “TTEC had the incident between March 4, 2021, and Sept. 12, 2021.”

During the hack, an attacker viewed or downloaded certain client files stored on the TTEC systems. It appears clients were notified of the incident on or around Oct. 27. Once the attack was contained, an investigation was launched with assistance from an outside cybersecurity firm and notified law enforcement.

The investigation determined the potentially stolen information varied by individual and could include names, SSNs, contact information, dates of birth, and Medicare ID numbers. All impacted patients will receive free credit monitoring services.

TTEC is continuing to work with the FBI and law enforcement on their ongoing investigations and has since hardened its cybersecurity.

Hack of SonicWall vulnerability leads to MRIoA data breach

Medical Review Institute of America along with some of its connected health providers and clients recently notified 134,571 patients that their data was taken from the MRIoA, after the hack of an unpatched SonicWall vulnerability in November.

The “sophisticated cyber incident” was discovered on Nov. 9, 2021, that led to unauthorized access to the MRIoA network. The forensic analysis concluded that the hack began a week before it was discovered. Once the SonicWall access point was determined, MRIoA closed the security gap and secured the network.

A week after discovering the systems hack, “MRIoA retrieved and subsequently confirmed the deletion of the obtained information.”

The stolen data included demographic information, contact details, dates of birth, SSNs, diagnoses, treatments, medical histories, dates of service, lab test results, prescriptions, provider name, medical account number, financial data, and other health-related information.

MRIoA has since built new servers from the ground up to ensure all threat remnants were removed, added further authentication protections for system access, deployed and hardened its backup environment, and enhanced employee cybersecurity training.

The incident should serve as a warning for other healthcare providers in light of continued vulnerability exploits of the importance of minimizing risk around unpatched vulnerabilities, even those not specific to the healthcare environment.

Suncoast Skin Solutions reports breach, 6 months after ransomware attack

Suncoast Skin Solutions recently notified HHS and 57,730 patients of a ransomware attack that could have exposed certain healthcare information. Suncoast is a dermatological care provider based in Florida.

On July 14, Suncoast discovered an attacker encrypted the data of some of its systems and swiftly acted to prevent the encryption of additional systems. A third-party cybersecurity firm was brought on to assist with the investigation and forensic review, which concluded in October.

The investigation found limited patient data was potentially viewed during the cyberattack, including names, dates of birth, clinical information, provider notes, and limited treatment data.

The notice adds an interesting note that Suncoast is in the process of “transferring all of its patient data to an encrypted system.” While encryption is not required under HIPAA, covered entities and business associates are required to document the reason behind the use of another security method.

“The encryption implementation specification is addressable, and must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of e-PHI,” according to HHS.

“If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate,” it added.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.