Ransomware, Breach, Incident Response

Ransomware attack on Ascension St. Vincent’s legacy EMR spurs breach notice

The entrance to a hospital emergency room is seen
A ransomware attack at Ascension St. Vincent Coastal Cardiology affected the Georgia hospital's legacy network used to retain data. (Air Force)

A “security event” deployed against several legacy systems, including an electronic medical record (EMR), at Ascension St. Vincent’s Coastal Cardiology in Georgia has led to the possible compromise of personal and health information tied to an undisclosed number of patients.

First discovered on Aug. 15, the security team “immediately secured the legacy network” but not before ransomware was deployed, which encrypted some of its data. Ascension’s network, as well as Coastal Cardiology’s active EMR were not affected by the incident.

An investigation led with assistance from a third-party forensic team revealed that an attacker accessed systems within the legacy Coastal Cardiology network, used by Ascension to retain data, including patient information, in order to meet regulatory requirements. The data was not used for current business operations.

Investigators have not found evidence the data was removed from the systems or misused by the attackers. But “unfortunately, because the information was encrypted and we are unable to access it, we are unable to tell you exactly what information was affected.”

The legacy EMR contained patients’ personal information and treatment data tied to Coastal Cardiology visits held prior to Oct. 5, 2021, such as demographic details, insurance information, Social Security numbers, clinical information, and billing data. All affected patients are being provided with a free two-year membership of credit monitoring and identity theft detection services.

Ascension informed law enforcement of the event and is continuing to cooperate with their investigation. They also “initiated a security risk assessment, realigned staff responsibilities, removed access rights to the legacy system and retrained associates.”

This is the second Ascension subsidiary to be impacted by a security incident in the last year. In 2021, a ransomware attack on business associate Capture Rx led to the access and exfiltration of data belonging to its connected healthcare clients, including health data from 5,807 Ascension St. Joseph Hospital patients and 2,821 from Ascension St. Agnes.

Ascension Health in Florida was also affected by the massive cyberattack on payroll vendor Kronos earlier this year.

Nationwide Optical informs patients 18 months after vendor hacked

The nearly monthlong hack of the USV Optical network in the spring of 2021 led to the theft or access of protected health information. However, USV did not inform Nationwide Optical Group and Nationwide Vision Center of the impact to their patients until September 2022. USV is a subsidiary of U.S. Vision.

Nationwide Optical Group was acquired or became affiliated with several USV entities in September 2019, including Nationwide Optometry and SightCare. At that time, USV began to provide Nationwide with administrative services as a business associate. The patient data stolen during the incident was tied to services provided by Nationwide.

Suspicious activity was first discovered on the USV network on May 12, 2021, prompting an investigation. The analysis revealed a threat actor “intermittently” accessed the network between April 20, 2021, and May 17, 2021. During that time, the actor viewed and/or stole patient data.

Nationwide Vision was notified by USV about the incident at that time, but the investigators were unable to identify the entities or patients affected by this incident. In response, officials said they worked to gain more information from USV and “insisted” they monitor the dark web for any evidence their data was leaked. However, USV did not report any instances of actual misuse.

Further, USV conducted a review of the impacted files to determine the impacted information, which concluded on Sept. 22. Nationwide Vision “conducted additional data enrichment and validation to further confirm” the impact to patients. The review was completed on Oct. 17.

These lengthy reviews appear to be an attempt to explain the lengthy delay between discovering the breach and informing patients. But as the Office for Civil Rights recently reminded entities, the Health Insurance Portability and Accountability Act requires entities to notify patients within 60 days of discovery, not at the close of an investigation.

For patients the Nationwide Vision data, the 2021 incident affected each individual differently and could include names, dates of birth, contact details, Social Security numbers, taxpayer IDs, driver’s licenses or state IDs, financial account information, treatments, medical record numbers, provider names, dates of service, health insurance details, and other sensitive data.

For some patients, biometric data and/or email address or username and password were also exposed or possibly stolen. All affected patients will receive free credit monitoring and identity restoration services.

USV is currently evaluating possible security improvements, while Nationwide Vision is continuing to bolster its security controls and monitor its systems.

Fred Hutchinson Cancer Center reports business email compromise from March

An undisclosed number of patients were recently informed that their data was possibly compromised in March, after the compromise of a single employee email account. FHCC was previously known as Seattle Cancer Care Alliance.

On March 26, the security team discovered suspicious activity in an employee email account and worked to secure it. The subsequent investigation concluded about one month later, finding that a hacker accessed the account for two days in March. The long delay in notifying patients appears to be attributed to “a comprehensive review of the contents of the email account.”

The investigators did not find evidence that might suggest the attacker was seeking out patient information, but access could not be ruled out. As a result, the potentially compromised data could include a range of personal and protected health information, which was not listed on the letter sent to state regulators.

The cancer care provider promptly notified federal law enforcement of the incident and has since taken steps to prevent a recurrence.

Phishing campaign against Michigan Medicine impacts four email accounts

Michigan Medicine recently informed 33,850 patients of a potential data compromise brought on by highly targeted phishing attacks against its employees in August.

This is the second email-related breach notice from Michigan Medicine this year. A February notice to 2,920 patients described a single email account hack compromising patient data. And in 2019, more than 3,000 employees were targeted with phishing emails. Just three employees responded, leading to exposed data for 5,466 patients.

The latest notice from Michigan Medicine describes an eight-day phishing email campaign against its employees. The threat actor attempted to lure employees to a nefarious webpage, where they were prompted to enter their login credentials.

Only four employees were successfully tricked into doing so, but it caused them to “inappropriately accept multi-factor authentication prompts,” which gave the attacker access to their email accounts. The account hacks were discovered on Aug. 23, prompting the disabling of the accounts “so no further access could take place and password changes were made.”

Michigan Medicine found no evidence to suggest the attack was designed to obtain patient data,  but they were unable to rule out data theft and have presumed the information was compromised. As such, they began a detailed, thorough review to determine just what patients were affected.

Some emails and attachments were found to contain identifiable data, including names, medical record numbers, contact information, diagnostics, treatments, dates of birth, and/or health insurance details. The emails were tied to “job-related communications for coordination and care of patients, and information related to a specific patient varied.” Just one patient’s SSN was involved.

“Additional technical safeguards on our email system and the infrastructure that supports it were also put in place to prevent similar incidents from happening,” according to the notice. The email accounts did not contain any credit card, debit card or bank account numbers. 

The provider leverages robust training and education for its employees to boost awareness, including the use of phishing simulation “so employees are trained on what to look for, and how to identify and report them.”

“The employees involved in this incident had previously been involved in these training exercises, and they are subject to disciplinary action under Michigan Medicine policies and procedures,” officials explained. The provider is currently assessing its ability to add further safeguards on its email system and infrastructure.

SC Media previously detailed the compliance nightmare of email attacks, as well as the high frequency of targeting against healthcare providers through tailored phishing campaigns.

Employee health plan data access during Wenco Management hack

Wenco Management recently informed 20,526 employees enrolled in its health and welfare benefit plan that their data was accessed during a network hack in August. Wenco Management is the company behind Wendy’s franchise restaurants.

First discovered on Aug. 21, the security team promptly took steps to secure systems and launched an investigation with support from an outside cybersecurity firm. They determined an outside actor accessed the network on the day it was discovered and was able to access certain files during that time.

The accessed files were confirmed to be the enrollment records of participants of Wenco’s employer-sponsored health plan, including names, SSNs, and plan selection information. Individuals are being offered credit monitoring services.

Wenco Management is currently enhancing its existing security measures.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.