Breach, Data Security, Malware, Ransomware

Data of 500K patients accessed, stolen after eye clinic ransomware attack

A ransomware attack on Iowa-based Wolfe Eye Clinic earlier this year led to the access and possible theft of data belonging to 500,000 patients. While the initial cyberattack occurred in February, the complexity and scope of the incident was not determined until May 28.

The security team observed an unauthorized individual attempting to access the network on Feb. 8 and swiftly moved to secure the network. An outside IT security and investigator was hired to assist with a forensic review into the scope of the incident, which did not conclude until June 8.

At that time, the investigation determined that an attacker accessed and possibly stole information, which varied by patient, such as names, contact details, dates of birth, and Social Security numbers. For some patients, medical and health information was impacted.

All impacted patients will receive one year of free identity monitoring. Wolfe Eye Clinic has since implemented additional safeguards and enhanced its security.

Ohio Medicaid provider data exposed in vendor hack

Maximus, a business process services vendor for government health and human services agencies, recently reported that the data of 334,000 Ohio Department of Medicaid and Managed Care Plan providers was compromised during a hack on one of its servers on May 19.

The impacted server contained providers’ personal information used by Maximus for credentialing and tax identification purposes. Upon discovering the unauthorized access, the security team isolated the server and engaged a third-party forensics firm to determine the scope of the incident.

The investigation determined the hack began two days before it was discovered, which enabled an attacker to access provider names, dates of birth, SSNs, and Drug Enforcement Agency numbers. No patient data was accessed during the attack. All impacted providers will receive two years of free credit monitoring services.

45K patients impacted in Prominence health plan hack

An estimated 45,000 current and former members of Prominence Health Plan were recently notified that their data was compromised during a hack of the insurer’s data system. The attacker first gained access to the network in November 2020, but it went undetected until April 22, 2021.

Upon discovery, Prominence reset all user credentials and secured the impacted environment, launching an investigation and data restoration processes from its backup systems. Prominence membership benefits and services were not disrupted by the hack.

However, the attacker gained access to a trove of patient data, including audio recordings of calls made to and from Prominence’s call center and PDF files of both provider claim forms and approval or denial letters sent to patients.

The recordings contained patient names, dates of birth, addresses, and claim codes, while the PDF files included names, dates of birth, member ID numbers, contact information, and claim codes. No SSNs or financial data were compromised during the incident.

Notably, not all plan members were affected by the incident. But the insurer is notifying all 45,000 members from the 2019 to 2020 timeframe, as a precaution.

Prominence has been actively monitoring online forums for any signs the data has been misused. To date, no instances have been found. The insurer has also enhanced its information security and processes, in addition to contacting the FBI and regulators.

Mississippi Center for Advanced Medicine ransomware attack

An undisclosed number of Mississippi Center for Advanced Medicine patients are being notified that their data was compromised during a ransomware attack in December 2020. A third-party IT consulting firm was hired directly after the incident, which uncovered the breach in April 2021.

Attackers demanded a ransom from MCAM in December, after encrypting data on an internal server. The notice does not detail whether MCAM paid the demand. Over the last five months, investigators worked to determine what, if any data, had been accessed during the hack.

The team concluded that the attackers were able to access the impacted server’s data, which contained documentation tied to MCAM services and programs, including protected health information, such as names, SSNs, dates of birth, contact information, prescriptions, insurance processing data, medical histories, provider names, and clinical data.

The incident did not impact the electronic health record, nor any financial data. MCAM has since secured the impacted servers and files, while stressing the server was secured prior to the hack by an outside network security vendor using industry standard security measures.

In response to the incident, MCAM has added further security measures that include the implementation of enhanced user authentication, intrusion detection, and monitoring capabilities.

Ransomware threat groups leak more health data

In the last week, the Cuba and Conti ransomware threat actors leaked the data of two major health care providers: Forefront Dermatology and Goetze Dental. Both specialists provide care for patients in hundreds of care sites across the country.

In screenshots shared with SC Media, the Cuba hacking group posted data they claim to have obtained from Forefront Dermatology between June 4 and 6.

Meanwhile, Conti actors leaked 198GB data allegedly stolen from Goetze, including personal employee data, such as SSNs, dates of birth, contact details, and employment contracts. The group also claims to have obtained financial documents tied to the company, client databases, all SQL databases, and Goetze’s practice management software database.

These types of data leaks are par for the course in the health care sector, with previous Coveware data showing that 77 % of ransomware attacks lead to data theft and subsequent extortion attempts.

Conti actors have notoriously targeted the health care sector with ransomware and extortion attempts in the last year, despite the sector being overburdened with the pandemic response.

In May, the FBI warned the group was heavily exploiting health care and first responder networks with at least 16 victims this year, including Rehoboth McKinley Christian Health, Leon Medical Center, UK-based Livanova, and the massive attack on Ireland Health Service Executive.

“Conti has also been re-attacking prior victims and launching new attacks shortly after an initial attack was sustained,” Coveware researchers previously explained. “A practice at odds with a RaaS organization interested in maintaining a reputation that compels victims to pay a ransom.”

The Cuba hacking group first appeared in mid2020, but has only recently jumped on the data exfiltration and extortion bandwagon. 

Coastal Medical Group cyberattack results in data theft

The data of an undisclosed number of patients was potentially stolen after a cyberattack on Coastal Medical Group. The New Jersey provider is listed as permanently closed.

The security incident was discovered on April 21. However, the systems were first compromised nearly a month prior, beginning on March 25. The provider launched its response and recovery procedures to reduce the impact and thwart the unauthorized access.

The investigation determined the hackers exfiltrated data during the hack, which could include patient names, contact details, SSNs, insurance information, diagnoses, treatments, dates of birth, and demographic details.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.