New Fitch Ratings insights confirm the “relentless cyberattacks” against the U.S. health care sector are over-burdening the finances and material revenues of nonprofit hospitals and health systems, due to the “historic increase” in the frequency and severity of cyber assaults over the last 18 months.
The report comes on the heels of three notable breach notices, with additional providers added to the Elekta and PracticeFirst vendor incidents and an email hack of health care vendor MultiPlan that impacted nearly 215,000 patients.
Cybersecurity is included in Fitch analyses of the health care sector and part of its corporate-wide Environmental, Social and Governance (ESG) framework.
“Cyber risk is both a social risk in terms of safety and security, and a governance risk in terms of management effectiveness. A hospital’s ESG Relevance Score would be elevated if cyber risk were deemed to be material to the rating,” according to the insights.
“Cyber breaches that disclose patient information carry the risk of loss of consumer confidence, litigation costs and federal enforcement actions due to regulations around patient confidentiality,” the report continued.
Echoing a recent SC Media report, Fitch explained that the COVID-19 pandemic response served to fuel the number of cyberattacks across the country, including those against the health care sector. The response also may have further added to network security vulnerabilities with the uptick in remote work for nonessential hospital staff.
Prior to the national response, reports repeatedly warned of the security risks posed by health care’s reliance on legacy software used in some medical devices, MRIs, and CT scanners. With the rapid adoption of telehealth and remote tech, these security gaps may have multiplied during the pandemic.
Between ransom demand payouts and efforts to bolster cybersecurity of health care systems, Fitch determined these financial efforts are hindering financial flexibility in hospitals – as well as increasing operation expenses.
The monthlong ransomware attack against Universal Health Services in September 2020 provides a sound real-world example: the incident reportedly cost $67 million in recovery efforts and lost revenue. For a nonprofit entity, these costs would serve to further financial burdens.
Health care cyberattacks inhibit revenue growth and an entity’s ability to timely recover costs, such as an attack that shuts down the billing system. As these attacks continue to pummel the health care sector, Fitch warned that these incidents may further tax entities with already constrained resources.
215K MultiPlan patients impacted by January email hack
The hack of MultiPlan’s email environment in January led to the compromise of data tied to 214,956 patients. MultiPlan is a medical payment billing services vendor.
On January 27, the security team identified suspicious activity against one employee email account and terminated access. An investigation led with assistance from a third-party forensics firm determined the attack was designed to divert wire transfers from MultiPlan clients attempting to make invoice payments.
The attacker also used the account to communicate directly with those customers about purported billing issues in another attempt to divert those payments from MultiPlan to their own account. Further, access to the account lasted for more than a month between Dec. 23, 2020 to Jan. 27, when it was finally discovered.
The review concluded that the attack was solely designed for these fraudulent efforts. However, the attacker may have accessed or obtained the protected health information contained in the impacted account, such as names, contact details, medical record numbers, health insurance, member, and group IDs, Social Security numbers, and other sensitive data.
All patients will receive two years of free credit monitoring. MultiPlan has since bolstered its email security policies and procedures to prevent an attack recurrence.
McLaren Health added to Elekta breach tally
Michigan-based McLaren Health Care was recently added to the growing list of providers impacted by the ransomware attack and data exfiltration incident on Elekta, a third-party vendor of radiation therapy and clinical management services for cancer treatment providers.
The Department of Health and Human Services breach reporting tools shows 64,600 patients were affected.
On April 6, Elekta reported its cloud-based storage system experienced a cyberattack that caused service disruptions for some of its connected providers, delaying some care appointments. The attack was isolated to a small subset of clients due to its network and geographical segmentation.
However, the investigation into the incident revealed some client data was accessed and possibly stolen ahead of the ransomware attack. Officials said they could not determine the full extent of the access and are considering all of the data in its cloud system as compromised.
Elekta notified McLaren Health that its data was compromised during the incident on May 17, wherein the hacker accessed the system between April 2 and April 20. In total, eight McLaren Health care sites were affected.
The compromised data could include patient names, SSNs, contact details, demographic information, diagnoses, treatment details, appointment confirmations, and other patient data collected by McLaren Health to perform care services. No financial, credit, or debit care information was compromised.
All impacted patients will receive free credit monitoring and identity theft protection services.
The Elekta cyberattack is among the many vendor-related incidents plaguing the health care sector this year, which caused service disruptions for 40 providers and compromised the data from at least 170 health systems, including Intermountain Healthcare, Advocate Aurora, Northwestern Memorial HealthCare, Renown Health, Cancer Center of Greenwood Leflore Hospital, and Jefferson Health.
Some of the patients impacted by the incident recently sued Elekta, claiming the incident raised a number of patient safety concerns due to appointment delays. The vendor is also accused of leveraging inadequate security measures for protected health information, and patients are now at risk of identity theft, potential fraud, and exposure on the dark web.
UPMC patient data affected by PracticeFirst ransomware attack
The data of an undisclosed number of patients and employees of WCA Services was impacted by the ransomware attack on Practicefirst Medical Management Solutions and PBS Medcode. The University of Pittsburgh Medical Center (UPMC) acquired WCA during another acquisition in 2016.
As previously reported, the Practicefirst incident led to the theft of data tied to 1.2 million patients.
Practicefirst is a medical management vendor that provides data processing, billing, and coding services for the health care sector. UPMC does not currently do business with the vendor. However, Practicefirst provided services to WCA Services from 2009 to 2013.
An attacker attempted to deploy ransomware onto the Practicefirst network on December 30, which was quickly thwarted by the security team. The system was shut down, and the security team performed a system-wide password reset to stymy the impact of the incident.
Practicefirst also contacted law enforcement and contracted with a third-party privacy and security firm for assistance with recovery efforts. An investigation revealed the attacker copied files from the network prior to the attempted ransomware deployment, including patient and employee data.
For UPMC, the impacted data is tied patients and employees of WCA Services from 2013 or prior and could include names, contact information, dates of birth, SSNs, driver’s licenses, diagnoses, lab results, treatments, patient identification numbers, medications, health insurance identification, claims data, tax IDs, and financial account data.