Breach, Incident Response, Ransomware

RefuahHealth informs 261K patients of May 2021 network data theft

RefuahHealth notified more than 260,000 patients after a May 2021 network intrusion. Pictured: An Air Force pharmacy technician verifies prescriptions at MacDill Air Force Base, Fla., Oct. 20, 2021. (Airman 1st Class Lauren Cobin/Air Force)

RefuahHealth is notifying 260,740 patients that their personal and protected health information was stolen during a two-day network hack nearly a year ago in May 2021. The New York-based community-based provider is a federally qualified health center.

It’s unclear by its notice just when RefuahHealth first noticed the network intrusion, but it “occurred between May 31, 2021, and June 1, 2021.” Given the 60-day reporting requirement outlined in The Health Insurance Portability and Accountability Act, the gap between the actual hack and notifications is questionable.

RefuahHealth partnered with a cybersecurity professional to support the investigation and analyze the scope of the compromise. The team concluded that the systems hack directly led to the data exfiltration of patient data.

The stolen data varied by patient and could include names, Social Security numbers, dates of birth, driver’s licenses, state IDs, bank or financial account details, financial card information, treatments, diagnoses, Medicare and Medicaid numbers, medical record or patient account numbers, and/or health insurance policy numbers.

Patients whose SSNs were affected by the incident will receive free credit monitoring services. In response to the hack, RefuahHealth installed a new firewall and performed a vulnerability assessment.

Data theft impacts 81K NuLife Med patients

The data of 81,244 current and former NuLife Med patients was possibly accessed or stolen by a threat actor during a systems hack in March. NuLife is a medical equipment company based in New Hampshire.

The attacker first gained systems’ access on March 9 and was discovered two days later. NuLife launched an investigation and contacted law enforcement, while working “to restore functionality to impacted systems.” The notice does not clarify whether the hack was tied to ransomware. 

The subsequent investigation could not determine “with certainty the exact files” the actor accessed or exfiltrated, just that it varied by individual. The data could include names, contact details, medical data, health insurance information, SSNs, driver’s licenses, financial accounts, and credit card details.

Schneck Medical’s 2021 cyberattack, outage led to data theft

Amid the investigation into its September 2021 cyberattack, Schneck Medical Center in Indiana discovered an attacker removed a number of files from its systems ahead of the attack.

The attack was deployed late Sept. 29, prompting the security team to suspend access to all IT applications across the hospital network. The attack also caused issues with the phone systems, with patients reporting access challenges with the patient portal and the provider website.

Schneck officials informed the public at the time that most patient services were unaffected by the incident, although urology, pulmonology, endocrinology, and neurology patients were told to call the medical center with questions. 

The latest breach notice sheds few details on the previously shared reports, outside of the “removed files.” After its “extensive forensic investigation and manual document review”, the investigation determined that one or more of the files stolen by the hacker contained patient data.

The protected health information involved full names, SSNs, financial account information, payment card details, dates of birth, contact information, medical record and internal identification, driver’s licenses, state IDs, diagnoses, conditions, health insurance, and claims data. Not all Schneck patients were impacted.

Schneck has since strengthen its IT security measures to prevent a recurrence.

Southern Ohio Medical reports breach, 5 months after cyberattack

About five months after facing a cyberattack that led to several weeks of network disruptions, Southern Ohio Medical Center notified 15,136 patients that their data was accessed and possibly stolen ahead of the outage.

As previously reported in November, SOMC was forced to cancel a number of appointments after a Nov. 11 cyberattack forced the 248-bed hospital into electronic health record downtime procedures. For more than a week, the provider maintained care diversion processes, with canceled appointments occurring for weeks after the initial incident.

At the time, patients reported disruptions to the patients portal, while clinicians reported a surge in telephone calls from concerned patients. SOMC maintained transparency throughout the incident, which was reflected in a positive outpouring of support from patients in the community.

The transparency continues in its breach notice, which explains the delayed notifications were caused by the lengthy review of impacted files and work to find the contact information of affected patients.

The investigation confirmed the initial hack began just one day before the attack was deployed, enabling the attacker to access and potentially obtain certain files. The potentially stolen data varied by patient and could involve SSNs, dates of birth, treatments, diagnoses, health insurance details, passports, U.S. Alien Registration number, and employer ID numbers. 

SOMC has been working with the FBI on its investigation and has since added further security safeguards.

Network hack of Vail Health Services leads to patient data access

Vail Health Services recently informed 17,039 patients that their data was accessed during a hack of its network systems. The hack first revealed itself as network issues, which prompted an investigation. The notice contains no details into when the incident was first discovered, just that its investigation concluded on April 5. 

The analysis determined that a hacker viewed “limited portions” of patient health information on Feb. 11, by gaining access to a restricted location within the Vail Health Network that contained a subset of files tied to COVID-19 testing data from across the enterprise. 

Investigators confirmed data access, but don’t believe the data was copied or downloaded from the network. The data included the protected health information of patients who received COVID-19 tests from Vail Health locations, including full names, dates of birth, contact details, test results, and encounter numbers.

SSNs, driver’s license numbers, financial data, or other sensitive information were not contained in the impacted system.

Although the incident was contained to a system with restricted access, Vail Health is currently further strengthening its information security measures “to further restrict the ability to access that file location and have removed the impacted files from that location.”

McKenzie Health System reports possible patient data theft

A March 11 “security incident” at McKenzie Health System in Michigan disrupted some IT system operations. A recent breach notice shows the attacker possibly accessed and stole the data belonging to 25,318 patients during the cyberattack.

Upon discovery, the health system secured the system, notified law enforcement, and launched an investigation with support from a third-party forensic investigator. Once the potential data theft was confirmed, McKenzie Health analyzed the impacted files to determine the impact to patient data.

Only a small subset of McKenzie Health patients were affected by the incident. The data could include names, SSNs, contact details, dates of birth, demographic information, diagnoses, treatments, prescriptions, medical record numbers, provider names, dates of service, and/or health insurance details.

Patients whose SSNs were included in the stolen data will receive complimentary credit monitoring and identity protection services. McKenzie Health has since implemented additional safeguards and technical security measures to prevent a recurrence.

FCIP email hack affects data of 10K patients

The hack of a Fairfield County Implants & Periodontics (FCIP) employee email account led to the potential compromise of data tied to 10,502 patients.

The notice does not explain when or how the incident first began, just that it discovered personal information “was included” in a compromised email account. An analysis of the impacted account determined patient names, contact details, dates of birth, emails, SSNs, health insurance, treatments, and medical histories were possibly compromised.

FCIP could not “conclusively rule out the possibility that personal information was compromised.” As such, all patients are eligible to receive two years of identity theft protection services. The provider intends to bolster its security, as it assesses its current privacy and security controls.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.