Breach, Data Security, Incident Response

Data of 1.2M patients stolen prior to third-party vendor ransomware attack

Practicefirst Medical Management Solutions and PBS Medcode recently notified 1.2 million patients that their data was accessed and stolen from its network, ahead of a ransomware attack deployed on Dec. 25, 2020.

Praticefirst is a medical management company tasked with data processing, billing, and coding services for health care providers.

On Dec. 30, the vendor discovered an attacker attempting to deploy ransomware on its system. Officials said they shut down the system, performed a system-wide password reset, alerted law enforcement, and contracted with an outside privacy and security firm.

A review found the actors copied files from the network during the hack, including patient and employee information.

The stolen information varied by patient and could include names, contact details, dates of birth, Social Security numbers, driver’s license numbers, medical information, patient identification numbers, bank account details, credit card information, and employee usernames, passwords, and security questions and answers, among other sensitive data.

The notice does not explain the six-month delay in notifying patients. Under HIPAA, providers are required to inform patients of data breaches within 60 days of discovery and not at the close of an investigation.

Practicefirst officials said they negotiated the release of the data, with confirmation the data was destroyed and not shared. It’s important to note researchers assert there’s no guarantee hackers will actually adhere to promises made to victims around the return or deletion of data. Conti ransomware actors, in particular, have been known to falsify evidence provided to victims.

The vendor has since implemented additional security measures to prevent a recurrence.

With its 1.2 million breach tally, the incident is now the fifth largest health care data breach in 2021 so far.

REvil threat actors leak data from University Medical Center of Southern Nevada

In other health care data breach news, University Medical Center of Southern Nevada recently confirmed that it fell victim to a REvil ransomware attack in June, after REvil threat actors began leaking data they exfiltrated prior to the attack.

The screenshots shared with SC Media show the hackers leaked scans of patients’ driver’s licenses and SSN cards, as well as passports and other highly sensitive data.

According to health system officials, attackers first gained access to a server used to store information in early June, and law enforcement was brought on to investigate. So far, there’s no evidence the attackers were able to gain access to clinical systems.

Failed ransomware attack on Coastal Family Health Center

The data of 62,342 patients of Coastal Family Health Center in Mississippi was accessed during a failed ransomware attack on May 13. The attempt to shut down the computer network was unsuccessful, and CFHC continued to treat patients and provide services despite the attack.

However, the attacker was able to access the personal information of patients during the incident, including patient names, contact details, SSNs, medical insurance information, health data, and treatment information.

CFHC has been working with a third-party cybersecurity firm on its investigation and has since modified security procedures to reduce identified risks.

More providers added to Elekta breach tally

Northwestern Memorial HealthCare and Renown Health have been added to the list of providers impacted by a ransomware attack on cancer software vendor Elekta earlier this year. In total, more than 40 health systems reported experiencing network issues due to the security incident.

Threat actors launched a cyberattack against Elekta’s cloud-based storage system on April 6, which forced some providers to cancel some radiation treatment appointments as the systems were driven offline.

At the time, Elekta informed the public that the attack was isolated to a subset of U.S. cloud customers due to its geographical and service segmentation of cloud services.

The Renown Health notice shows Elekta’s forensic investigation discovered protected health information (PHI) was accessed during the hack. The incident review is ongoing, but Elekta notified all impacted clients that they’ve concluded all of its cloud-system data was compromised.

The impacted Renown Health data is tied to patients residing in Nevada or neighboring states. It could include names, SSNs, demographic and physical details, medical treatments, appointments, and diagnoses.

Northwestern Memorial notified patients that the incident compromised a database for oncology patients from Northwestern Medicine’s Central DuPage Hospital, Delnor Community Hospital, Huntley Hospital, Kishwaukee Hospital, Lake Forest Hospital, McHenry Hospital, and Valley West Hospital, as well as Northwestern Memorial Hospital.

The impacted data includes patient names, SSNs, dates of birth, health insurance information, medical record numbers, and clinical data tied to cancer treatments, like medical histories, provider names, dates of service, treatment plans, diagnoses, and prescriptions.

The impacted system remains offline in the wake of the attack to protect patient and customer information. Elekta is continuing to work with the impacted health entities, including Renown and Northwestern Memorial.

Northwestern officials said they’re reevaluating their relationship with Elekta. The other impacted entities include Carle Health in Illinois, Southcoast Health in Massachusetts, Lifespan, Yale New Haven, Charles Health System, and the Cancer Centers of Southwest Oklahoma.

The security incident is part of a concerning trend in health care this year: massive security incidents and data breaches stemming from a single incident on a third-party vendor. In fact, 6 out of 10 of the largest health care incidents were caused by vendors.

As a reminder, NIST and the Department of Homeland Security Cybersecurity and Infrastructure Security Agency previously released best practice insights to support entities with bolstering their vendor management processes.

UW Health reports four-month hack of patient portal

The University of Wisconsin Health recently notified patients that their data was likely accessed during a four-month hack of its MyChart patient portal.

Discovered on April 13, the subsequent investigation revealed unauthorized actors were able to access a number of patient portal accounts beginning on Dec. 27, 2020, and potentially accessed the data contained in the portal.

For some patients, the access was contained to the patient portal homepage, which displays clinical information like upcoming appointment reminders, hospital admissions, care team details, subject lines of provider messages, and prompts to view new test results.

For others, the actors accessed pages that contained appointment and admissions information, health insurance details, claims data, and additional medical histories, such as test results, diagnoses, and medications.

No financial data or SSNs were compromised in the health care data breach, as the identifiers are not stored in the MyChart portal.

UW Health is evaluating its current security processes and protocols, in addition to bolstering password security and implementing two-factor authentication on its MyChart portal. Officials said they are also deactivating patient accounts that have been idle for at least 15 months.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.