Ransomware, Breach, Incident Response

Patient data stolen ahead of CentraState cyberattack, impacting 617K

Patient information is accessed on a health system portal

CentraState has confirmed that threat actors stole a copy of an archived database containing patient data ahead of its reported cyberattack and subsequent network outage in December and January. Estimates show 617,901 patients were affected.

As previously reported, the New Jersey hospital reported a cyberattack Dec. 30 led to the launch of electronic health record downtime procedures. CentraState faced “technical problems related to an IT security issue” and were forced to deploy care diversion processes in response to the network outages.

The use of paper processes enabled the hospital to continue logging patient care through the records available on site. Outside of its initial report, officials did not disclose further details into the attack. The breach notice answers some of those lingering questions.

The attack was deployed on Dec. 29, discovered by CentraState as “unusual activity” on its computer systems. The hospital took action to contain the incident and began investigating with help from an outside forensics firm. The FBI was also contacted, and CentraState is still working with the FBI on its investigation.

The investigation has since confirmed the attackers stole an archived database the day before the cyberattack. The data varied by patient and could include dates of birth, Social Security numbers, contact information, health insurance details, and medical record and patient account numbers. Some care data was also stolen, including visit notes, provider names, treatments, and other medical information.

While CentraState began issuing notices earlier this month, the potential breach victims have already filed a lawsuit. As SC Media extensively reported, healthcare data breach lawsuits have become as common as the breach notices themselves despite the Supreme Court ruling breach victims must provide evidence of concrete harm.

Tallahassee Memorial brings systems back online

After 13 days, Tallahassee Memorial HealthCare fully restored its computer systems and is now operating under standard care procedures. All emergency care diversion procedures and paper processes have ended, according to the latest update.

As recently noted, the Florida hospital chain was hit with a cyber incident on Feb. 2 and was forced to cancel a range of appointment types for nearly two weeks. EMS care was diverted to nearby hospitals, as the IT team worked with law enforcement to bring systems back online.

A website notice shows “TMH, which cares for the vast majority of emergent patients in Leon and surrounding counties" has resumed all care services. The care team is now working to reschedule the non-emergent surgeries and outpatient procedures canceled amid the outages.

However, officials said they’d “be remiss not to expect hurdles. We are a 772-bed hospital and a regional healthcare system with nearly 6,000 colleagues. Our systems and processes are vast and intricate, and we’ve brought them online strategically and securely to ensure the best possible care for our patients.”

The quick turnaround for TMH should be seen as a victory, nonetheless, as the average downtime-period hovers around three to four weeks, such as the incidents reported by CommonSpirit Health, Scripps Health, Universal Health Services, and a host of others.

BlackCat hits Lehigh Valley Health Network

A trove of patient data tied to Delta Medix was posted on the BlackCat dark web leak site. Delta Medix is part of the Lehigh Valley Health Network.

LVHN CEO and President Brian Nester has since confirmed a BlackCat ransomware attack targeted the Delta Medix network and apparently exfiltrated confidential images and medical data for an undisclosed number of patients.

The investigation into the incident is ongoing, but Nester confirmed the hack targeted a computer system containing images tied to radiation oncology treatment and other relevant information. However, LVHN has not yet determined the exact impact of the attack.

LVHN did not pay the ransom, nor were patient care processes impacted by the incident. The physicians network is working with an outside cybersecurity firm to confirm the impacted information and will follow regulatory protocols for breach notifications.

In December, the Department of Health and Human Services alert on BlackCat warned of the group’s “technically superior” functions, as compared to other ransomware-as-a-service groups. The highly customizable variant relies heavily on internally developed capabilities, which operators are able to constantly develop and update.

BlackCat uses a range of encryption routines and can self-propagate, while rendering “hypervisors ineffective” in an effort to complicate forensic analysis.” The alert also called BlackCat “one of the more adaptable ransomware operations in the world.”

Business associate hack impacts Regional One Health patients

Nearly 251,000 Regional One Health patients were recently notified that their data was stolen, after the hack of one of its business associates, Reventics; a revenue cycle management vendor.

On Dec. 15, Reventics discovered a threat actor accessed information on its servers, prompting an investigation that found the attacker both accessed and exfiltrated a range of personally identifiable information and protected health data.

The data included patient names, SSNs, dates of birth, contact details, medical record numbers, patient account numbers, financial data, driver’s licenses and other government-issued IDs, provider names, health plan names and IDs, clinical data, dates of services, treatment costs, prescriptions, numeric codes for identifying services and procedures, and code details.

The systems’ intrusion did not impact its operations, and Reventics has since bolstered its technical safeguards with new encryption controls, an updated security risk analysis, and revision to its policies and procedures. Workforce members have also been retrained.

Ransomware attack on Teijin Automotive impacts health plan data

Teijin Automotive Technologies recently informed 25,464 current and former employees enrolled in the company health plan that their data was compromised during a ransomware attack on its corporate IT systems in December.

First discovered on Dec. 1, the ransomware was deployed after an employee unknowingly clicked on a malicious link contained in a phishing email, which enabled the actors to access company servers. Both local law enforcement and the FBI were contacted to assist with the investigation. The incident was contained within four days.

The subsequent investigation found the accessed servers contained contact details, dates of birth, SSNs, health insurance policy information, and limited banking information. Officials don’t “believe any medical information was maintained on the affected servers.”

Teijin has since enhanced its data security and procedures, in addition to investing in new technology and re-training employees.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.