OakBend Medical Center confirmed that sensitive information was breached in a ransomware attack. (U.S. Army)

OakBend Medical Center has confirmed “sensitive information was breached within the hospital infrastructure,” after two weeks of electronic health record downtime brought on by a ransomware attack. The Texas provider is working with federal law enforcement amid the network outage.

As previously reported, the cyberattack was deployed against OakBend Medical on Sept. 1, which has led to communication issues and IT disruptions. The provider has been operating in “lockdown” mode since discovering the intrusion and took all systems offline as it worked to rebuild.

“At no time was patient safety ever in jeopardy,” officials stressed at the time. But the outage has caused communication issues for patients, vendors, doctors, and administrations. The hospital brought on the FBI, Ft. Bend County Government Cyberteam, and CYD to lead the investigation.

Just days after announcing the continued system impacts, Brett Callow, a ransomware expert at Emsisoft reported on Twitter that the Daixin threat group claimed the attack on OakBend. The posted data proofs on its leak site show the actors claim to have more than 1 million records that include personally protected information and protected health information.

The description of the alleged data trove includes Social Security numbers, medical services, treatments, and other sensitive information, and the first leak appears to be employee PII. Daixin claims to have pulled the data from the hospital’s internal servers.

The latest update from the hospital asks the public to give the response team the time to appropriately address the data incident and then properly disclose the compromise to the government.

The hospital is continuing to experience phone system disruptions and currently does not have voicemail capabilities. Officials estimate the lines should be restored by the end of the week. OakBend has since brought its email system back online and is continuing to restore the network to full operations.

Ransomware attack on Empress EMS leads to data theft for 319K

On July 14, Empress EMS in Yonkers, New York, discovered some of its systems were encrypted with ransomware and quickly worked to contain the spread. The investigation found that the attackers first gained access to the network several months before the attack deployment and used the access to steal a subset of data tied to 318,558 patients.

The stolen data included patient names, dates of service, insurance details, and Social Security numbers for some patients. The incident has been reported to law enforcement.

Empress EMS has since bolstered its systems security and is continuing to enhance its protocols to better protect patient information.

Medical Associates of the Lehigh Valley incident spurs data access

Nearly 76,000 patients tied to Medical Associates of the Lehigh Valley (MATLV) were recently notified that their data was likely accessed after the Pennsylvania provider fell victim to a “sophisticated ransomware attack.”

Upon discovering the network intrusion, MATLV secured the network and launched an investigation with support from third-party forensic specialists. Federal law enforcement was also notified. Their analysis revealed that certain files were possibly accessed as part of the cyberattack, including protected health information.

The compromised PHI varied by patient and could include names, contact information, dates of birth, SSNs, driver’s licenses or state IDs, health insurance provider, diagnoses, treatments, medications, and/or lab results.

MATLV has since evaluated and reinforced its existing security measures and network facilities.

Physicians’ Spine and Rehabilitation Specialists reports data theft

A security incident discovered by The Physicians’ Spine and Rehabilitation Specialists of Georgia on July 11 resulted in the theft and leak of protected health information tied to 38,765 patients.

A response team brought in an outside information security team to investigation and who aggressively responded to the situation. All passwords were reset and its security systems were “restored promptly to avoid any material delays in clinical care.”

“Despite numerous security measures that were in place prior to the incident,” however, the hackers first gained access to the network one week before the intrusion was discovered. The dwell time enabled the actors to steal data, the data proofs of which were posted on the dark web.

The notice explained that the provider “is unsure exactly what if any personal information was actually taken.” The response team believes that if medical or billing information was stolen it varied by patient and might include names, SSNs, contact details, dates of birth, driver’s licenses, diagnoses, treatments, insurance information, and/or guarantor details.

No patient credit card or bank account numbers were involved, as the provider does not store that type of data. All impacted patients will receive free credit monitoring and identity theft insurance.

Two-day hack of Lubbock Heart & Surgical Hospital leads to theft

Over 23,300 patients of Lubbock Heart & Surgical Hospital were recently informed that their data was possibly accessed and or copied from the network, after a ransomware attack disrupted some IT operations.

FIrst discovered on July 13, the response team “quickly blocked” the unauthorized access and worked to contain the incident. The investigation that followed was led by law enforcement and third-party forensic leaders. The analysis found the access began two days before discovery and was designed to copy certain files.

The potentially stolen data could involve names, contact details, demographic information, dates of birth, SSNs, diagnoses, treatments, prescriptions, Medical Record Numbers, provider names, dates of service, and/or health insurance information. The investigation could not rule out access or exfiltration.

Patients whose SSNs were stolen or compromised will receive free credit monitoring and identity protection services.

Genesis Health reports data theft from April

A threat actor accessed or removed patient information from Genesis Health Care in South Carolina, which impacted the data of 21,226 patients.

Genesis Health officials first discovered the intrusion as “suspicious activity” on some network systems on April 11. An investigation was launched with outside support to confirm the scope of the incident and restore the functionality of its systems.

The analysis did not uncover the incident until June 9, confirming that the threat actors had network access for four months beginning on January 19 to April 11. The team launched “a thorough and time-intensive programmatic and manual review of the potentially impacted files.” 

Genesis is currently reviewing its existing cybersecurity policies and procedures and intends to add further measures and safeguards to protect patient information.