Connecticut-based Aetna ACE recently notified 326,278 plan members that their data was possibly accessed during a ransomware attack against their printing and mailing vendor OneTouchPoint.
OTP previously informed 30 health plans of the impact to their patient data, but Aetna was not included on that list. Reported to the Maine Attorney General in late July, the OTP notice shows 1.07 million patients were notified of a ransomware-related incident first detected on April 28.
An investigation into the scope of the incident determined a threat actor first accessed certain servers a day before deploying the ransomware. OTP was unable to determine the specific files accessed by the attacker during that time. The impacted servers contained patient names, member IDs, and information provided during health assessments.
No Social Security numbers or financial data were impacted, outside of one health plan where SSNs were involved. The findings were disclosed to impacted providers on June 3. It’s important to note that The Health Insurance Portability and Accountability Act requires disclosures within 60 days of discovery and without undue delay.
The OTP site lists 30 impacted health plans, including Clover Health, a number of Blue Cross Blue Shield branches, HealthPartners, and multiple Regence BlueCross, or BlueShield departments. One Blue Shield notice shows that it was its subcontractor, Matrix Medical Network, that leveraged OTP for its printing and mailing.
OTP informed law enforcement and is currently adding new safeguards while reviewing its policies and procedures relating to data privacy and security.
Aetna reported the incident to the Department of Health and Human Services on July 27 and its notice shows that only a limited range of patient data was impacted, including names, dates of birth, contact details, and some medical data.
It’s the second vendor-related incident for an Aetna ACE branch reported within the last two years. The data of 484,154 plan members was likely accessed during the hack of its vendor EyeMed in 2020.
Goodman Campbell’s June ransomware attack led to data theft
A new notice from Goodman Campbell Brain and Spine seems to confirm that Hive threat actors stole and leaked patient data in the wake of the ransomware attack and subsequent network outage reported in June. The Maine Attorney General report shows 362,833 patients have been notified of the data impact.
Goodman Campbell previously reported that it fell victim to a cyberattack on May 20, which disrupted both network and communication system operations. It took the provider about a month to fully recover its systems. The FBI and an outside cybersecurity specialist were contacted to help with the response.
At the time, Goodman Campbell officials said they were “not yet been able to verify the full nature and extent of personal data that may have been compromised,” and its initial findings confirmed that patient and employee data was indeed accessed by the threat actor.
However, Hive threat actors had posted proofs on its leak site that suggested they were behind the attack. The breach notice upholds the leak: “We do know that some information acquired by the attacker was made available for approximately 10 days on the dark web.”
The notice also provides further details into the attack, including that forensics confirmed both employee and patient data was stolen from its systems. The investigation couldn’t verify the extent of the compromise, but that the information included patients’ medical, financial, and demographic information.
The electronic medical record system was not accessed during the attack. Rather, the threat actors accessed and exfiltrated data from “other locations on our internal network, such as appointment schedules, referral forms, and insurance eligibility documentation.”
Overall, the stolen data appears to include full names, SSNs, dates of birth, contact information, medical record and patient account numbers, diagnoses, treatments, provider names, insurance details, and dates of service.
Goodman Campbell has since implemented new security monitoring tools to prevent a recurrence.
Avamere Health network hack impacts 380K patients
A network hack against Avamere Health six months ago led to the theft of data for 379,984 patients, which includes 183,254 patients from its client Premere Infinity Rehab. Infinity Rehab is contracted with Avamere for its IT services.
“Intermittent unauthorized access” was discovered on a third-party hosted network used by Avamere, but the notice does not specify when the hack was first discovered. The investigation concluded on May 18 that the threat actor had access to the network for two months between Jan. 19 and March 17.
Supported by consultation with an outside cybersecurity firm, the investigation revealed that the hacker removed a limited number of files and folders from the network.
The stolen data varied by patient and could include protected health information, which included patient names, contact details, dates of birth, SSNs, driver’s licenses or state identification numbers, claims data, financial account numbers, medications, lab results, and medical diagnoses. All affected patients will receive free credit monitoring services.
Avamere’s notice lists approximately 80 care sites impacted by the incident, 59 of which appear to be Avamere-owned sites. The incident posting on Infinity Rehab’s site shows another 68 care sites were involved, for a total of about 142 care sites affected by the hack and data theft.
258K patients learn about 2021 PracticeMax breach
Some patients affected by a ransomware attack and data exfiltration incident at PracticeMax in 2021 are only now learning that their data was involved in the incident. The HHS breach reporting tool shows 258,411 patients tied to Fast Track Urgent Care Center were notified their data was likely stolen during the third-party vendor incident.
In October 2021, the PracticeMax notice detailed the incident, where attackers gained access to some client networks after hacking into the vendor network and deploying ransomware on May 1, 2021.
However, Fast Track’s notice shows not all provider networks were hacked during the incident. It appears the urgent care provider was first informed of the ransomware incident on May 10, 2021. At that time, PracticeMax couldn’t confirm whether or not their data was impacted by the attack.
It wasn’t until Feb. 14, 2022, that Fast Track learned it was possible their data was involved. But since PracticeMax’s investigation was ongoing, the data access was not confirmed until June 6.
The compromised data varied by patient and could include names, SSNs, passports, contact details, dates of birth, driver’s licenses or government IDs, treatments, diagnoses, health insurance information, financial data, and other medical information. What’s not clear is why the previous PracticeMax breach notice said the investigation concluded on Aug. 29, 2021.
49K McLaren Port Huron patients added to MCG breach tally
About 49,000 patients tied to McLaren Port Huron Hospital were recently notified that their data was among the information stolen from MCG Health, a business associate that provides care guidelines to healthcare entities and health plans.
In June, MCG first reported that a threat actor stole patient data after a “security issue,” but didn’t explain how the theft occurred or whether it was a cyberattack. MCG determined on March 25 that an actor obtained data matching patient information stored on its systems.
A week later, eight more providers were added to the tally. McLaren Port Huron’s notice matches those earlier notifications and adds: “Due to the delay in McLaren Port Huron receiving notice of this event, we have not conducted our own investigation to determine the probability of an actual compromise of our patients’ data arising from this event.”
As such, the hospital is presuming it was a breach as defined by HIPAA. MCG reported the incident to HHS as affecting 793,283 patients, but other state reporting sites show the tally at 1.1 million individuals.
Healthback email hack impacts 21K patients
Home health provider Healthback Holdings recently informed 21,114 patients that their data was likely accessed during the hack of several employee email accounts. The unauthorized access was first detected on June 1 but the attackers had access to the accounts for nearly six months, from Oct. 5, 2021, until May 15, 2022.
The subsequent forensic analysis could not determine what, if any, emails were viewed by the threat actor. A review of the accounts found they contained patient names, SSNs, health insurance information, and clinical data. All patients are being offered free credit monitoring and identity theft protection services.
Healthback has since bolstered its email security protocols and provided employees with additional training around phishing emails.
