Ransomware, Breach, Supply chain

Ransomware attack drives Indiana provider offline; vendor breach impacts 173K dental patients

A dentist administers oral anesthesia before extracting a tooth at a free health clinic on July 22, 2017, in Wise, Va.  (Photo by John Moore/Getty Images)

Vendor incidents and cyberattacks leading to network outages remain the leading threats against the healthcare sector, as two more providers report falling victim to these types of incidents. The network of Central Indiana Orthopedics is currently offline after being hit with ransomware, while Dental Alliance reported a breach impacting multiple dental care sites.

Ransomware strikes Central Indiana Orthopedics

Central Indiana Orthopedics posted a notice on its website to inform patients that the care site was currently offline following a ransomware attack six days ago on Oct. 16.

An “organization-wide network interruption” prompted the security team to take all systems offline to reduce the impact of the event as they work to restore the network from backups with support from a third-party cybersecurity firm.

CIO is currently investigating the cause of the incident and the overall impact. Providers are continuing to treat both scheduled and walk-in patients during the outage, which is causing some delays.

First reported by DataBreaches.net, it appears the Grief ransomware hacking group has already claimed the attack and leaked some of the data allegedly stolen from the specialist.

The leak joins two other healthcare victims in the last week. Lockbit is threatening to leak data they claim to have stolen from Washington-based nonprofit Merit Resource Service, corporate name The Valley Alcohol Council. The ongoing timer is set for Nov. 4 when “all available data will be published.”

Meanwhile, Groove is threatening to publish data they claim to have stolen from Tri Valley Primary Care in Pennsylvania. Notably, the provider’s website was down at the time of publication.

Professional Dental Alliance phishing-related breach

Multiple Professional Dental Alliance providers reported data breaches to the Department of Health and Human Services within the last week, tied to a phishing-related incident at Dental Management, its administrative and technology support services vendor, nearly six months ago. PDA is a network of dental providers across 15 states.

The breach was reported to HHS by at least 11 PDA care sites and 172,933 patients.

Between March 31 and April 1, Dental Management discovered unauthorized access to several employee email accounts containing patient information. Officials said they believe the attack was designed to harvest email credentials, but the investigation could not rule out access to the information in the accounts.

The impacted data belonged to patients, patient representatives, or guarantors and varied by individual. The information could include names, Social Security numbers, contact information, email addresses, dental information, insurance details, and financial data.

The notice is scant on details and gives no explanation for the extended delay in notifications. Under The Health Insurance Portability and Accountability Act, covered entities and business associates are required to provide notice of breaches impacting 500 or more patients within 60 days of discovery, and without delay.

American Osteopathic Association reports data exfiltration from 2020

On Oct. 13, Chicago-based American Osteopathic Association began notifying 27,500 individuals that their data was exfiltrated during a hacking incident in June 2020. AOA is a representative member organization for over 145,000 osteopathic providers and medical students.

AOA discovered suspicious activity on some of its systems on June 25, 2020, prompting an investigation into the scope and nature of the incident. Officials said that during the incident, an unauthorized actor stole numerous data sets belonging to patients, including names, SSNs, contact details, financial account information, and credentials.

Given ongoing challenges with the COVID-19 pandemic, the notice explained that the investigation into the hack did not conclude until June 1, 2021.

Ransomware attack on PracticeMax leads to breach of health insurer

VillageHealth, an Anthem plan for patients with end-stage kidney disease, recently notified patients that their data was compromised after a data exfiltration incident and ransomware attack on its third-party vendor, PracticeMax. The program delivers care coordination between patients’ dialysis center, nephrologist, provider, and Anthem.

Attackers had access to the VillageHealth network between April 17 and May 5. The security team detected the incident with the deployment of ransomware on May 1 and launched an investigation and recovery efforts. The provider regained access to the system on May 5.

A forensic review found one impacted server contained protected health information, which was accessed and taken by the attacker. The stolen data could include patient names, dates of birth, contact information, Anthem member numbers, and clinical data tied to the received kidney treatment. SSNs and financial data were not involved.

The PracticeMax notification explained the investigation concluded on Aug. 29, several months after the incident. The notice does not explain why notices were sent outside the HIPAA-required 60 day requirement.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.