Breach, Ransomware, Incident Response

Still recovering, Oklahoma clinic confirms ransomware attack, data breach

Two months after falling victim to a ransomware attack, and Oklahoma City Indian Clinic still hasn’t recovered. Patients are now being notified their data may have been accessed. (Photo credit:”Oklahoma City Skyline” by Serge Melki is marked with CC BY 2.0.)
Two months after falling victim to a ransomware attack, and Oklahoma City Indian Clinic still hasn't recovered. Patients are now being notified their data may have been accessed. (Photo credit: "Oklahoma City Skyline" by Serge Melki is marked with CC BY 2.0.)

The ongoing network disruption at Oklahoma City Indian Clinic was brought on by a ransomware attack, a newly released notification confirms. OKCIC also informed 38,239 patients that their protected health information was accessed during the incident.

It’s been two months since the attack was deployed, which has caused delays and access issues with its pharmacy department. On March 10, the provider reported that “technical issues have left the care team without access to certain computer systems.

The attack led OKCIC to shut down its automatic refill line and mail order service of its pharmacy department. All patients were told to call the pharmacy for needed refills, which would require the individual to provide the needed prescription information to do so — even the drug dosage, chart number, provider name, and directions, with a government-provided ID.

The issues are still ongoing two months later. The latest update from OKCIC on May 9 shows pharmacy delays will continue for an undetermined amount of time, as the provider must “rebuild patient medication profiles.”

OKCIC has been working with its IT staff and third-party specialists to find a resolution. For now, patients are still being warned that all prescription refill requests require renewals form a provider and will take five business days to complete. Notably, “new prescriptions will take up to four hours.”

“Please be kind to our staff,” OKCIC officials urged on its social media page. “With IT technical difficulties, they are working as quickly as possible to update information, review and refill medications, and continue with patient care in as efficient and safe manner as possible.”

The breach notice sheds further details on the incident. The forensic evidence could not rule out the possibility that certain patient information was accessed by the attacker. All patients with information contained in the network are being notified.

The potentially compromised data could include names, dates of birth, treatments, prescriptions, medical records, provider information, health insurance policy number, phone numbers, Tribal ID numbers, Social Security numbers, and driver’s license numbers.

OKCIC has since reset account passwords and implemented further security measures to protect information. All patients will receive free credit monitoring and identity protection services.

Omnicell reports ongoing impacts from ransomware attack

A May 4 ransomware attack against Omnicell, a pharmacy and medication management solutions vendor for the healthcare sector has impacted certain products, services, and internal IT systems, according to a recent filing with the Securities and Exchange Commission.

Upon discovery, Omnicell took steps to contain the attack and launched its “business continuity plans to restore and support continued operations.” Law enforcement has been notified, as Omnicell works closely with an outside cybersecurity firm and its legal counsel to resolve the incident. 

Omnicell is “is in the early stages of its investigation and assessment of the security event and cannot determine, at this time, the extent of the impact from such an event on our business, results of operations or financial condition, or whether such impact will have a material adverse effect.”

After ‘concealed’ ransomware claims, notices raise more questions into ECL

EvergreenHealth and Summit Eye Associates, two Eye Care Leaders clients, recently issued breach notices to patients informing them of a potential unauthorized access to their information, in connection with a ransomware attack on the third-party vendor. ECL provides an electronic medical record platform to covered entities.

The separate notices detail a December 2021 incident involving ransomware. It follows a recently filed provider-led lawsuit that alleged the business associate concealed a March 2021 ransomware attack from clients, as well as several lengthy service outages throughout 2021.

The lawsuit further detailed claims of multiple cyberattacks and several periods of network disruptions, while ECL continued to bill the providers for services they were allegedly unable to use due to the system outages. 

The lawsuit did not refer to the December 2021 incident outlined in the EvergreenHealth and Summit Eye notifications. However, there may be additional regulatory issues for ECL as the new breach notices show that ECL first detected a ransomware incident on Dec. 4, 2021, but did not notify Summit Eye or EvergreenHealth of a potential patient data breach until three months later. 

The Health Insurance Portability and Accountability Act requires notifications within 60 days of discovery.

The Summit Eye notice shows that the ECL “data security incident” was caused by an attacker accessing the EMR platform and its data in December. The actor then “deleted databases and system configuration files.” Upon discovery, ECL shut down the EMR platform and launched an investigation.

Summit’s systems were not accessed during the attack, but ECL’s ongoing investigation has not determined whether or not Summit’s patient information was involved in the incident. However, ECL informed the provider that “they cannot rule out that possibility.”

The potentially compromised information could include patient names, SSNs, dates of birth, medical record numbers, health insurance details, and treatment information. The Department of Health and Human Services’ breach reporting tool shows 53,818 patients were affected.

Summit urged patients to review “statements they receive from their healthcare providers. If they see any services that were not received, they should contact the provider immediately.”

For EvergreenHealth, the data possibly accessed during the incident could include names, dates of birth, medical record numbers, and treatment information. Officials explained that the impacted EMR only contained data from care received at the eye care clinic, and its own systems; non-eye care information were not included in the breached data.

HHS’ breach reporting tool shows 20,533 EvergreenHealth patients were affected.

Summit Eye Associates is currently terminating its vendor relationship with Eye Care Leaders, while “EvergreenHealth is examining its vendor relationship with Eye Care Leaders and evaluating their security safeguards.”

Optima Dermatology email hack impacts 60K patients

The personal and health data of 59,872 Optima Dermatology patients was potentially accessed after the hack of an employee email account. Optima operates a number of U.S. care sites, including the Dermatology Center of Indiana and Advanced Dermatology & Skin Cancer Center. 

The hack occurred more than six months ago between Aug. 30, 2021, and Sept. 2, 2021. The notice does not detail when the incident was first discovered, just that its “extensive forensic investigation and manual document review” concluded on Feb. 17, 2022.

The investigation confirmed a hacker accessed an employee email account, but the notice provides no further details into how the access was acquired. The impacted data varied by patient and could include names, treatments, conditions, health insurance claims, application information, insurance policies, subscriber numbers, and medical record numbers.

Optima found no evidence SSNs, driver’s license numbers, or financial account/payment card information were involved, nor were all Optima patients included in the breached information.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.