The Blackbaud data breach was the largest health care-related incident of 2020, impacting an estimated two dozen providers and well over 10 million patients. Now, 2,565 patients of addiction treatment center Alina Lodge are being notified that their data was compromised during the massive vendor incident more than a year ago.
Blackbaud is a cloud computing vendor for nonprofits, foundations, corporations, education institutions, health care entities and change agents. In February 2020, threat actors hacked into its self-hosted environment, stealing data as they proliferated across the network.
During that time, the attackers stole sensitive data from donors, potential donors, patients, community members with relationships to the entity, and other individuals tied to the impacted entities.
What’s worse, the hack was not discovered until three months later, when the attackers deployed ransomware onto its self-hosted environment on May 14, 2020. Blackbaud officials confirmed they paid the ransom demand “with confirmation that the copy they removed had been destroyed.”
The vendor is currently facing at least two dozen lawsuits, in the wake of the event.
The Alina Lodge breach notice shows the provider was notified that its data was compromised by the Blackbaud incident more than six months ago in October 2020. However, Alina Lodge was told that its data was encrypted, and therefore not viewable by the threat actors.
On April 19, 2021, Blackbaud informed the Hardwick Township, N.J.-based Alina Lodge that its data had been exposed during the attack. As such, the attackers likely accessed personal data, such as names, contact details, admission and discharge dates, and other treatment details, like recovery status and diagnoses.
This type of data can be used for health care fraud or even to conduct attacks directly against impacted individuals. Patients will receive free access to credit monitoring and identity protection services.
68K SJRMC patients notified of health data breach from 2020
San Juan Regional Medical Center in New Mexico recently notified 68,792 patients that their data was accessed and stolen, after a network hack took place roughly nine months ago.
Upon discovering a threat actor had gained access to its system, SJRMC secured the network and sought to mitigate the threat. A forensic investigation found the actor removed information from the network during the incident, between September 7 and 8, 2020.
A manual document review -- concluded on April 6, 2021 -- found that impacted data included the personal and protected health information of patients.
The stolen data varied by patient and can include names, dates of birth, Social Security numbers, driver’s licenses and passports, financial account numbers, health insurance details, and medical data such as diagnoses, treatments and medical record numbers.
Not all SJRMC patients were affected by the incident. SJRMC is providing free credit monitoring services to all patients whose SSNs were compromised during the hack.
Under HIPAA, covered entities and relevant business associates are required to report breaches od protected health information impacting 500 or more patients within 60 days of discovery and without undue delay.
“Individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible, a brief description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity (or business associate, as applicable),” according to the rule.
The SJRMC notice leaves some question as to whether the regulation was followed, or if officials should have preemptively notified patients of the incident, given that the medical center houses troves of protected health information.
As the breach has been reported to the Department of Health and Human Services, the case is currently under investigation and further information may come to light in the future.
Business associate’s ransomware attack leads to data breach
Earlier this year, a ransomware attack on health care business associate Elekta drove several cancer treatment centers offline, according to HealthITSecurity.com. A recent breach notice shows the data of those patients was compromised during the incident.
Cancer Centers of Southwest Oklahoma leverages Elekta to manage its radiation therapy, radiosurgery and related equipment and clinical services. A ransomware attack on the vendor’s cloud-based storage system led to system outages beginning on April 6, 2021.
At the time, the security team contained the attack and identified two providers impacted by the ransomware attack. The Oklahoma provider was not among them. However, an investigation into the event confirmed the attackers accessed protected health information.
Elekta is continuing to investigate the event and has concluded all data within its cloud system should be considered compromised, including the data of about 8,000 Cancer Centers of Southwest Oklahoma patients.
The potential compromised data could include patient names, SSNs, contact details, dates of birth, physical attributes, diagnoses, treatments and appointment confirmations. No financial account or credit card information was compromised.
All patients will receive complimentary identity monitoring, fraud consultation and identity theft restoration services.
The impacted Elekta servers remain offline to ensure the protection of patient and customer information, as well as to prevent further access. Cancer Centers of Southwest Oklahoma is working with the vendor to understand the scope of the incident and to find alternative ways to continue treating patients.
Officials said the investigation and evaluation of alternative treatments is ongoing.
Reproductive Biology ransomware attack results in data theft, exposure
Georgia-based Reproductive Biology Associates and its affiliate My Egg Bank North America was hit with a ransomware attack from April 7 to April 10, 2021, which rendered its systems inaccessible and led to the theft and exposure of patient data.
RBA did not discover the incident until on April 16, nearly a week after the initial hack, when the security team discovered a file server containing embryology data was encrypted. Ransomware was determined to be the cause, and the team shut down the impacted server to terminate the threat actor’s access.
On June 7, investigation concluded that the affected data was tied to patients. Once the security team regained access to the encrypted files, they “obtained confirmation from the actor that all exposed data was deleted and no longer in their possession.”
It should be noted Coveware data has consistently shown that threat actors often falsify evidence provided to victims related to stolen or impacted data.
“The data will not be credibly deleted. Victims should assume it will be traded to other threat actors, sold, or held for a second, future extortion attempt,” researchers explained in a November 2020 Coveware report. “Unlike negotiating for a decryption key, negotiating for the suppression of stolen data has no finite end.”
“Stolen data custody was held by multiple parties and not secured. Even if the threat actor deletes a volume of data following a payment, other parties that had access to it may have made copies so that they can extort the victim in the future,” they added.
However, RBA is preemptively employing supplemental web searches to monitor for the potential presence of the exposed patient data. So far, those scans have not found any information related to the breach.
The investigation into the scope of the compromised information is ongoing, but officials have determined the data may include full patient names, contact details, lab results, and information tied to the handling of human tissue.
RBA is continuing to monitor its systems and the web to detect and respond to any misuse or misappropriation of the patient information, with assistance from a third-party IT services firm. The team is also conducting interviews and analyzing forensic data related to the incident.
Further, the team deployed device tracking and monitoring to help contain and investigate the full scope of the attack, along with a forensic analysis to understand the impact. RBA has also since implemented internal controls and provided staff with additional cybersecurity training.
“These controls include working with a cybersecurity service provider to remediate actions taken by the actor and restore our systems, updating, patching, and in some cases replacing infrastructure to the latest versions, deploying password resets to appropriate users, rebuilding impacted systems, and deploying advanced antivirus and malware protection,” officials said in the notice.
65K Minnesota Community Care patients added to Netgain breach tally
Minnesota Community Care (MCC) recently notified 64,855 patients that their data was included in the data compromised and stolen during a ransomware attack on Netgain, its third-party cloud-based IT services provider.
To date, the Netgain incident has claimed victims from at least 10 providers and nearly 1 million patients.
Attackers gained access to Netgain’s network in September 2020, but the security team did not discover the intrusion until two months later. Despite notifying law enforcement and quickly launching an investigation, the attackers deployed ransomware on December 3.
The investigation revealed the attackers had stolen troves of sensitive client data, prior to encrypting a subset of data stored in Netgain’s internal systems. Netgain officials confirmed they contained and eradicated the threat on January 14, 2021 and began notifying impacted clients.
On February 25, Netgain provided MCC with a list of data files the attackers accessed and or exfiltrated from the server. MCC then launched its own review to determine whether the data included protected health information or personally identifiable information.
That investigation concluded on April 30, six months after the data exfiltration.
The stolen data contained patient names in combination of one or more elements, including SSNs, driver’s licenses, government identifications, dates of birth, credit or debit card details, account numbers and PINs, diagnoses, health insurance policy numbers, and a host of other highly sensitive data.
MCC is continuing to work with third-party vendors to bolster its security and oversight.