At least eight new breach notices were issued this week tied to a phishing attack deployed against Adelanto HealthCare Ventures in November 2021. Houston-based St. Luke’s Health first reported the same incident in October 2022.
AHCV is a consulting company that supports healthcare business associates with claims data. Discovered on Nov. 5, 2021, two employee email accounts were hacked after a successful phishing incident. According to one provider notice, it did not initially appear that protected health information (PHI) was affected by the email system compromise.
Further forensic analysis confirmed that PHI was indeed involved on Aug. 19, 2022, 10 months later. A subsequent investigation found the emails contained provider names, patient ages, patient account numbers, admission and discharge dates, insurance carriers, and balance information. No Social Security numbers or financial data were impacted.
Texoma Medical Center, Suncoast Behavioral Health, Coral Shores Behavioral Health, The Vines Hospital, South Texas Health System, Doctors Hospital of Laredo, Fort Duncan Regional Medical Center, and Northwest Texas Healthcare System all reported being affected by the incident this week.
While the notices were sent more than 18 months after the security incident was first discovered, AHCV did not discover that protected health information was affected until Aug. 19, 2022.
But that does not explain why the vendor did not report the patient data impacts until eight months later, far outside of the 60-day requirement outlined in The Health Insurance Portability and Accountability Act. The Department of Health and Human Services has repeatedly warned that notices are to be sent within 60 days of discovery, not at the close of an investigation.
54K NewYork-Presbyterian Hospital patients impacted by pixel use
Joining a long list of providers to report inadvertently disclosing health data to third parties via pixel tracking tools, NewYork-Presbyterian Hospital is notifying 54,396 patients of the unauthorized disclosure of their information due to the use of tracking and analytics tools.
NYP leveraged the tools on its public-facing website “to understand how visitors interacted with the website” and enabled “NYP to review website activity to streamline external communications, monitor community engagement” and make it easier for patients to access personalized care options
However, it also led to the unintended disclosure of their data to the developers of these tools.
Upon discovery, NYP disabled the trackers and conducted an analysis to determine just what data was exposed. The forensics confirmed the pixels disclosed the information of patients who requested appointments or second opinions, or initiating a virtual urgent care visit.
It also appears that the tools accessed IP addresses and the URL/website addresses of the pages visited, including provider names and specialties, full patient names, contact details, and/or gender if the patient entered the data on particular website pages. The data was shared with its third-party technology service providers.
The investigation did not find evidence that the pixel-tracking tools captured any financial information, passwords, SSNs, or other sensitive health data, nor were patient medical records impacted within the patient portal or mobile application.
NYP has since reevaluated and changed how it collects data, in addition to developing a protocol for monitoring website engagement.
Florida Medical Clinic reports data access impacting 94K
A little over 94,000 Florida Medical Clinic patients were recently notified that a ransomware attack deployed against the provider’s network on Jan. 9 enabled the attacker to access certain files that contained their health information.
Notably, forensics found that the electronic health record systems remained secure from the attack and were not exposed to the attackers.
After the ransomware was deployed and detected, the security teams fully contained the incident within hours and “proactively isolated the exposure.” The team brought in a third-party forensic cybersecurity firm to investigate, which confirmed the limited data impacts.
However, the notice suggests that the compromised data was also stolen ahead of the attack, while noting they “secured evidence that all of the stolen files were permanently deleted.” Officials added: “We feel strongly that any information obtained was not used for malicious intent.”
Security researchers have long warned against paying ransoms and trusting the word of adversaries, but Florida Medical has not found evidence the accessed and stolen data was misused.
In total, 94,132 files were exposed, which contained limited personal information. In fact, “the overwhelming majority of the files — over 95% — included only an individual’s name and no other personally identifiable information.” The remaining files included some medical data, contact details, and dates of birth, and just 115 SSNs were compromised.
Florida Medical Clinic has since implemented additional cybersecurity measures, replaced some system components, and updated the remote access system protocols.
NorthStar Emergency Medical Services reports September hack
NorthStar Emergency Medical Services recently notified 82,450 patients that their data was accessed after a hack of its digital environment, discovered on Sept. 16, 2022. The notice suggests the delayed notification was caused by “an in-depth and time-consuming review of the data.”
An investigation into the security incident found the threat actor accessed certain data stored on the network, including patient names, SSNs, dates of birth, patient ID numbers, treatment information, Medicare/Medicaid numbers, and/or health insurance information.
NorthStar has since bolstered its cyber environment to prevent a recurrence and reported the hack to law enforcement.