Breach, Risk Assessments/Management, Email security, Security Strategy, Plan, Budget, Incident Response

A single email account hack spurs breach notice for 503K Christie Clinic patients

This week’s healthcare breach roundup contains multiple email hacks and is led by the ransomware attack on Yuma Regional Medical Center that impacted 700,000 patients. (Photo credit: “U.S. Department of Health and Human Services” by WEBN-TV is marked with CC BY-ND 2.0.)

The hack of a single employee email account at Christie Clinic led to the potential access of protected health information tied to 502,869 patients. Christie Clinic is one of the largest multi-specialty group medical practices in Illinois.

The breach notice does not disclose when the email hack was first discovered, just that its investigation concluded on Jan. 27, 2022. However, the initial monthlong account occurred six months prior between July 14 and Aug. 19, 2021.

Upon discovery, the account was secured, and Christie Clinic contacted law enforcement. Its subsequent investigation determined the hack aimed to “intercept a business transaction between Christie Clinic and a third-party vendor.”

The analysis was unable to determine the “extent email messages in the account were actually viewed or accessed by an unauthorized actor.” As such, Christie Clinic launched a review into the impacted account to determine what patient information it contained. In March, the team confirmed the employee account possibly contained patient data.

The impacted information varied by patient and could include Social Security numbers, addresses, medical information, and health insurance details. The hack did not affect any other computer systems, the electronic medical record systems, or patient portal.

Christie Clinic has since implemented additional security safeguard to its network security tools. With its tally of 502,869 potential breach victims, the incident is only the fourth largest healthcare data breach reported this year behind Broward Health (1.35 million), JDC Healthcare Management (1.03 million), and third-party vendor Morley (521,046 clients).

Data theft impacts 107K patients, after Urgent Team network hack

Approximately 107,000 patients tied to Urgent Team Holdings were recently notified that their data was stolen, following a six-day network hack in November 2021. Urgent Team is one of the largest independent urgent and family care operators with 72 locations in Alabama, Arkansas, Georgia, Mississippi and Tennessee.

Upon discovery, Urgent Team launched an investigation in consultation with a third-party cybersecurity firm. On Jan. 31, the investigation concluded and determined patient data “may have been removed” from the network between Nov. 12, 2021, and Nov. 18, 2021.

The potentially stolen data could include dates of birth and/or medical records. The notice also states: “we have no evidence that this information was actually viewed or removed.” Urgent Team provided no further details or clarity into the incident.

Urgent Team has since modified its privacy and security practices and controls, including the implementation of multi-factor authentication and an antivirus solution that monitors for any unauthorized systems’ access.

Wellstar Health reports email hack impacting patient data

Wellstar Health System is notifying an undisclosed number of patients that two employee email accounts were hacked for a monthlong period beginning on Dec. 6, 2021, impacting the privacy of their protected health information. Wellstar is one of the largest health systems in Georgia.

The notice does not explain when the hack was first discovered. Instead, Wellstar explained they first confirmed the accounts contained patient information on Feb. 7. The lengthy timeline to discover this information is unclear, considering that the The Health Insurance Portability and Accountability Act requires patients to be notified without undue delay.

Upon discovering the intrusion, access to the two impacted accounts was disabled. Wellstar also issued a mandatory password reset for all accounts to prevent any further access from unauthorized parties.

The investigation confirmed the “accessed email accounts” contained information belonging to patients, including names, medical record numbers, Wellstar account numbers, and laboratory information. SSNs and financial information were not contained in the impacted accounts.

Wellstar has since bolstered its technical safeguards, including adding security measures to its email system and providing employees with additional security awareness and email security training.

Newman Regional Health notifies 52K patients after email hack

The hack of several employee email accounts belonging to Newman Regional Health in Kansas led to the potential exposure of health information tied to 52,224 patients.

The notice does not describe when the security incident was first discovered, rather that it identified suspicious activity within a single employee email account, secured the email system, and launched an investigation with outside assistance. The forensics showed an attacker accessed multiple email accounts for 11 months between Jan. 26, 2021, and Nov. 23, 2021.

The “extensive review and analysis” was not completed until March 14, 2022, where Newman Regional identified the individuals whose information was affected during the hack.

The compromised data varied by patient and could include names, dates of birth, medical record or identification numbers, contact details, health information, treatments, insurance details, and/or employee information collected by Newman Regional for its workforce. SSNs and financial information was included in the exposed data for a limited number of patients.

Stolen hard drive prompts swift notice from Resources of Human Development

A hard drive was stolen from Resources of Human Development on Jan. 27, which could affect the personal and protected health information of 46,673 individuals. RHD is a national human services nonprofit based in Philadelphia.

RHD first discovered the theft on Feb. 16. The drive was tied to its Point-to-Point program in Exton, Pennsylvania and contains a host of highly sensitive information that varies by individual. The data could include SSNs, drivers’ licenses, financial account or payment card details, dates of birth, prescriptions, diagnoses, treatments, provider names, insurance information, and more.

The investigation into the incident and its impact is ongoing. RHD is continuing to work with outside forensics specialists, but for now, it’s unclear whether the data on the hard drive was encrypted. RHD is taking steps to ensure its office security, as well as its computer servers and training employees on best practice security.

For 2 providers, network outages continue weeks after cyberattack

Oklahoma City Indian Clinic is still working to recover access to certain computer systems, including its pharmacy services, four weeks after a cyberattack. Meanwhile, Taylor Regional Hospital’s lab and oncology departments are still experiencing some tech disruptions nearly two months after being hit with a systems hack and related cyberattack.

As previously reported, OKCIC notified patients of potential disruptions to its pharmacy services on March 21, brought on by “technical issues.” The initial impact blocked access to certain services, including the clinic’s automatic refill line and mail order pharmacy services.

Patients were warned these systems would be down for an “indeterminate amount of time.” The latest social media posting shows the technical issues remain ongoing, with five-day wait times for refills and four-hour wait times for new prescriptions.

Meanwhile, Taylor Regional made serious progress in bringing at least 35 departments back online in the wake of a late-January cyberattack. But its ongoing site status shows it’s still struggling to bring its oncology and lab phone lines back online, about two months after the incident.

The hospital has already issued notices to 190,209 patients concerning the theft of their health information prior to the cyberattack and service disruptions.

The attacks and long periods of downtime spotlight the impact of cyberattacks on critical infrastructure organizations and the need for strong, well-practiced incident response plans.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.