Ransomware, Incident Response, Data Security

Systems hack enables data theft, access for 8.9M MCNA Dental patients

Dentist at work with tools

The health information tied to 8.9 million patients enrolled in Florida Healthy Kids Corporation (FHKC) and the Florida Agency for Health Care Administration's Medicaid insurance programs was stolen after a systems hack on MCNA, their dental benefits and services provider.

MCNA Dental works with state Medicaid agencies, Children’s Health Insurance Programs, private entities, and other insurance plans. The notice only refers to FHKC and Florida’s HCA.

With nearly 9 million impacted, the incident is now the largest healthcare data breach reported by a single entity so far this year, followed by Pharmerica (5.2 million patients), Regal Medical Group (3.3 million), Cerebral (3.18 million), and NationsBenefits (3.04 million).

Discovered on March 6, a threat actor gained access to the MCNA system to both access and exfiltrate copies of data stored in the network for several weeks between Feb. 26 and March 7. The investigation also found certain systems were “infected with malicious code.”

The stolen data varied by individual included full names, contact details, dates of birth, email addresses, Social Security numbers, driver’s license numbers or other government-issued ID numbers, health insurance plan data, conditions, diagnoses, treatments, and insurance claims. The data was tied to children and their guardians.

Upon discovery, MCNA contacted law enforcement and has been cooperating with their investigation. The benefits manager has since bolstered its systems security.

For FHKC, this is the second vendor-related breach affecting its patients in the last two years. Reported in early 2021, its vendor, Jelly Beans Communications Design, failed to patch multiple website vulnerabilities and enabled a threat actor to access and tamper with patient data for more than seven years. The incident was one of the largest healthcare data breaches in 2021.

Idaho Falls Community Hospital diverting patients after cyberattack

Mountain View Hospital, Idaho Falls Community Hospital, and its partner clinics are working to recover from an ongoing cyberattack in electronic health record downtime procedures, diverting ambulances and canceling some appointments to ensure patient safety.

Medford Radiology Group in Oregon was hit by a cyberattack over the Memorial Day weekend, as well. The significant cyberattack has interfered with the processing of medical imaging and other operations.

For the Idaho hospitals, the response team took the network offline to limit the scope of the incident and protect patient information. But “until we feel confident the virus has been fully removed, some clinics will be closed, Idaho Falls Community Hospital will divert ambulances to nearby hospitals, and normal workflows may look a little different,” officials said. 

As a result, clinicians are relying on paper processes to continue caring for patients admitted to the hospitals, while surgeries are continuing as scheduled, the emergency department remains open, and most clinics are able to continue seeing patients as usual, according to the most recent update. Patients whose appointments are canceled are being contacted by providers.

“We apologize for any inconvenience or delays our community may experience because of this attack,” the update notes. “Our commitment to our patients’ well-being remains our top priority. … We also want to thank all of the community members, businesses and surrounding healthcare facilities who have offered us support and encouragement.”

Recent data suggests cyberattacks not only impact care morbidity at the impacted care sites, but on these nearby hospitals that take on the overflow of patients unable to be seen at downed hospitals.

“Hospitals adjacent to healthcare delivery organizations affected by ransomware attacks may see increases in patient census and may experience resource constraints affecting time-sensitive care for conditions such as acute stroke,” the JAMA research showed. The attacks and associated disruptions "should be considered a regional disaster.”

The Idaho hospitals join a growing list of healthcare entities to face prolonged outages after a cyberattack in the last month, including Richmond University Medical Center in Staten Island, Murfreesboro Medical Clinic & SurgiCenter in Tennessee, BitMarck, and Point32Health.

Ransomware attack on Enzo Biochem leads to data theft for 2.47M

The clinical testing information associated with nearly 2.47 million patients tied to Enzo Biochem, was exposed in a ransomware attack deployed against the New York biotech company on April 6.

The ransomware attack forced the company to disconnect the systems from the internet. The company was able to maintain operations by relying on its incident response process, which includes providing services to patients and partners.

A Securities and Exchange filing showed Enzo Biochem “became aware” on April 11 that the names, test information, and Social Security numbers of these individuals were accessed and/or exfiltrated from the company’s IT systems during the incident.

The investigation is ongoing, but the company confirmed the “unauthorized access to, or acquisition of clinical test information.” SSNs were compromised for about 600,000 of these individuals. Enzo Biochem is still working to determine if employee data was impacted.

What’s more, “the company has incurred, and may continue to incur, certain expenses related to this attack, including expenses to respond to, remediate and investigate this matter,” according to the incident. The suspect their will be continued “risks and uncertainties” stemming from the event, as well as additional regulatory scrutiny. 

For now, the full scope of these costs and impacts is still being evaluated.

Over 224K Albany ENT individuals impacted by weeklong hack

Albany ENT & Allergy Services recently notified about 224,000 patients that their data was likely accessed during a hack of its computer network between March 23 and April 4.

The subsequent investigation determined a threat actor gained access “to certain systems” that held both personal and protected health information tied to both employees and patients. The notice provides no further detail on the impacted data. However, the entity was listed on two ransomware group’s dark web extortion sites in early May: RansomHouse and BianLian.

AENT notified federal law enforcement and is continuing to cooperate with the ongoing investigation.

Royal Ransomware claims attack on Morris Hospital

Morris Hospital & Healthcare Centers in Illinois recently notified patients that it’s “actively investigating a cybersecurity incident” with support from an outside cybersecurity team, after the Royal Ransomware Group added the entity to its dark web extortion site.

Hospital officials stress that the incident has not affected patient care or hospital operations.

An investigation was launched after the security team detected “unusual activity” on the network, which suggested a threat actor gained access to its systems. The affected system is separate from the EHR used for patient care and has not been compromised.

Upon discovery, the team took action to contain the threat. The investigation is ongoing and includes reviewing each individual file on the affected servers to determine what, if any, data was compromised.

“Hospital officials emphasize that the numerous IT security measures that were already in place at Morris Hospital were instrumental in preventing a more severe incident,” according to the notice.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.