Compliance Management, Ransomware, Breach

Months-long hack, theft of Sea Mar healthcare data impacts 688K patients

The  U.S. Department of Health and Human Services building is shown Aug. 16, 2006, in Washington. (Photo by Mark Wilson/Getty Images)

All covered entities and relevant business associates are required to inform patients of breaches to their protected health information within 60 days and without delay to comply with The Health Insurance Portability and Accountability Act, regardless of whether an investigation into a hack, data theft, or other security incident is ongoing.

However, throughout the year, the timeliness requirement has been one of the most commonly overlooked compliance areas with an ever-increasing list of providers failing to adhere to the rule.

As noted in previous reporting, it’s understandable that investigations can be time-consuming to complete. But many providers have successfully managed to comply with the rule using transparent reporting practices that enable patients to quickly act to protect their identity and defend against fraud attempts.

In the last few weeks, at least three covered entities have issued notices outside of that 60-day requirement and without explaining the delays to patients.

Sea Mar reports massive patient data theft, five months after discovery

The personal and health data of 688,000 Sea Mar Community Health Centers patients was accessed, exfiltrated, and leaked online, after a monthslong systems hack that began in December 2020, according to a breach notification posted on the provider’s website. Sea Mar is a nonprofit entity serving underserved patients in Washington.

On June 24, Sea Mar was notified that some of its data was copied from its digital environment by a threat actor, prompting officials to secure the network and launch an investigation with assistance from an outside cybersecurity firm.

A forensic analysis found that additional data was removed from the impacted systems between December 2020 and March 2021, months before it was discovered. The stolen data varied by individual and included names, contacts, Social Security numbers, dates of birth, client identification numbers, treatment information, insurance details, claims data, and dental images.

Sea Mar then sought to determine the contact information for the potentially impacted patients, which concluded on Aug. 30. Patient notices were sent on Oct. 29, 10 months after the initial hack. The notice does not explain the additional 120 days taken to send patient notices after identifying contact details.

Lakeshore Bone and Joint reports Microsoft Office 365 hack

A hack on the Microsoft Office 365 email platform of Lakeshore Bone and Joint Institute potentially led to the access of data belonging to 23,627 current and former patients and employees.

First discovered on July 7, a threat actor gained access to the email environment through a single employee email account. Officials said they secured the account and launched an investigation, but the notice does not shed light on the length of the hack, nor whether there was evidence of data access.

As the account held patient and employee data, LBJI is issuing notice to the impacted individuals. The compromised data could include personal and protected health data, such as names, SSNs, dates of birth, treatments, diagnoses, provider names, patient IDs, health insurance details, and the cost of treatments.

The Nov. 16 notice informs patients that the delayed notification is due to challenges with finding contact information of those impacted. LBJI has since “taken steps to help prevent a similar incident from occurring in the future.”

Putnam County Memorial Hospital ransomware attack leads to data access

A ransomware attack against Putnam County Memorial Hospital on July 18, enabled attackers to access the data of 6,916 patients. The hospital has since regained access to the impacted systems and information, but did not disclose the length of the system outage or downtime. The notice also does not explain the reason for the delayed notification.

The investigation confirmed a threat actor first gained access to portions of the hospital’s computer system for two days, while performing “various network reconnaissance and ransomware tools to gain access” and render systems inaccessible.

The systems review also indicated the attackers accessed the personal information of some patients and employees, including names, contacts, SSNs, and health information,such as lab and radiology reports, physician assessments and records, and patient authorizations. The hospitals did not find evidence credit cards or financial data were accessed.

In an abundance of caution, the hospital notified all individuals who’ve either been patients or employees of the hospital since May 2013. The hospital is still reviewing the impacted records and systems and will notify all individuals of any significant findings.

The hospital has since added further security measures to defend against a recurrence and will provide a year of complimentary identity monitoring for those affected by the incident.

Eskenazi Health sends breach notice to 1.5M

In what could serve as a lesson to other healthcare providers on timely HIPAA-compliant breach notices, Eskenazi Health issued its own notice for the 1.5 million patients affected by its ransomware attack and data extortion incident from over the summer.

The Indiana health system previously informed patients the cyberattack involved the exfiltration of health information, while it continued its recovery efforts and investigation into the incident. Hackers deployed the ransomware payload on Aug. 4, forcing Eskenazi health into electronic health record (EHR) downtime procedures for a number of days.

Prior to the ransomware attack, the Vice Society threat actors stole patient data and leaked it online in an effort to strong arm the provider into paying a ransom. Instead, officials confirmed the theft of patient and employee data to the impacted individuals, enabling patients to take swift action to defend against fraud attempts and monitor credit reports.

Although it’s not required by HIPAA, preemptive notifications and transparency surrounding cyber incidents can positively impact patient responses. For example, the ongoing EHR downtime at Southern Ohio Medical Center has spurred officials to provide daily, transparent updates on its social media account and patient comments have remained positive.

As for the Eskenazi incident, its HIPAA-compliant Oct. 1 notice shed further light on the data theft: the attackers first gained access to the network months before deploying ransomware on May 19 “using a malicious internet protocol address.”

The hackers also disabled security protections ahead of the ransomware attack, allowing them to proliferate undetected on the network and steal data ahead of the encryption tactics.

The notice also confirms the data was leaked online, which could include names, dates of birth, contact information, medial record and patient account numbers, diagnoses, clinical data, provider names, insurance details, prescriptions, dates of service, driver’s licenses, passports, SSNs, credit card details, and other sensitive data.

The attackers also stole data on deceased patients, including the date and cause of death. All impacted patients will receive free identity theft protection and credit monitoring.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.