Privacy, Ransomware, Data Security

Zoll Medical notifies 1M patients of data breach tied to LifeVest device

stethoscope on the keyboard, an Internet search

Just over 1 million patients who used or were considered for use of a Zoll product were recently notified that their data was potentially exposed after a hack of the medical device and technology solutions vendor’s internal network in early February.

In a statement to SC Media, Zoll confirmed the hack was tied to current and former patients who use Zoll’s LifeVest device, a wearable cardioverter defibrillator and stressed that the “cybersecurity incident does not affect the safety or operation of the LifeVest device or any other Zoll medical device or related software.”

The Zoll notice only shares that it discovered a cybersecurity incident on Jan. 28, with “unusual activity” found on its internal network. Steps were taken to promptly mitigate the incident with consult from a third-party cybersecurity firm. Zoll also contacted law enforcement.

The subsequent investigation determined patient data was impacted “on or about Feb. 2, 2023.” The forensic analysis is ongoing, but Zoll has confirmed patient names, dates of birth, contact details, and Social Security numbers were compromised.

“It may also be inferred that you used or were considered for use of a ZOLL product,” according to the notice.

This is the second major breach reported by Zoll in the last four years. An error made by a third-party service provider during a server migration led to the compromise of personal and medical data tied to 277,319 patients. Reported in March 2019, Zoll discovered on Jan. 24, 2019, that some emails archived by the vendor were exposed during a routine server migration. 

The subsequent investigation found the exposure lasted for two months. A lawsuit filed by Zoll against the vendor tasked with record retention and maintenance requirements later revealed the mistake was allegedly caused by Barracuda Networks.

Hackers steal 4.5TB of patient data from Barcelona hospital

The threat actors behind the cyberattack levied against the Hospital Clinic of Barcelona on March 4 issued a ransom demand of $4.5 million dollars to not publish the 4.5 terabytes of patient data the attackers claim to have stolen from the network, according to the latest update.

However, “no kind of payment will be made, nor will they give in to any kind of blackmail or extortion,” according to a statement from Sergi Marcén, secretary of telecommunications and digital transformation; Tomàs Roy, director general Cybersecurity Agency of Catalonia; and Ramon Chacon, head of the General Criminal Investigation Department of the Mossos d'Esquadra.

The officials authenticated the attackers’ claims and their research and technical teams have confirmed the “files have been stolen, but the type of data involved is unknown at this time.”

SC Media previously reported the earlier attack was causing care delays, and the latest hospital update shows the cyber incident was prompted by a ransomware attack that followed with an extortion attempt.

“From minute zero,” investigators patrolled the hospital network and “the darknet to detect immediately if the data is published and took the corresponding actions to remove it,” officials explained. But law enforcement reaffirmed that extortion payments are not recommended as it serves to fuel further cybercrime.

The ongoing investigation “is very complex,” and the police are still working to identify the attackers. The hospital is continuing to work with the law enforcement agencies to contain and restore the impacted systems, as it continues to investigate.

The latest update on March 10, shows the hospital has successfully recovered 15% of the network. Officials attribute its previously established business continuity plans for their ability to recovery 90% of its surgical activity, 40% of ambulatory surgery, and 70% of external consultations, as well as the stroke and heart attack codes.

On social media, patients have expressed gratitude for the hospital maintaining oncology care throughout the network downtime, by sending patients to nearby Sant Pau and Vall d'Hebron Hospitals. It’s an impressive feat not often seen with hospital outages, which frequently lead to delays in cancer-related appointments.

The hospital has also been able to maintain care at its emergency site following the first day of the attack, and the pharmacy department has remained open, with clinicians leveraging paper processes.

However, the hospital admits the outages have caused serious care disruptions. Specifically, “more than 4,000 ambulatory patient tests, 300 surgical interventions, and more than 11,000 visits to external consultations have been stopped.”

The hospital is working with law enforcement on plans to support patients and staff with preventing successful fraud attempts, as well as assessing ways the hospital can strengthen its cyber posture.

Meanwhile, the Saint-Pierre Hospital in Brussels was forced to temporarily close the emergency room and divert some patients to nearby care facilities on Saturday, due to a cyberattack.

An official statement shows emergency room and telephone line outages lasted only the day. But during the downtime, many applications were inaccessible, including patient records and phone lines. For now, it appears no data has been affected. Officials are still investigating.

Bone and Joint Clinic reports data exfiltration incident

Approximately 106,000 patients and current or former employees tied to Bone & Joint Clinic in Wisconsin are being notified that their data was exfiltrated ahead of a “network disruption” incident in mid-January.

The systems’ intrusion was detected on Jan. 16, prompting an investigation. The response team found that “certain administrative and medical files” were acquired during the hack, which included both personal and protected health information. The stolen data could include names, dates of birth, SSNs, contact information, diagnoses, treatments, and health insurance details.

Bone & Joint contacted the FBI and are cooperating with their investigation and have since “engaged resources to provide notification and remediation services.”

Update: This piece was updated on March 3 with the total number of patients affected by the Bone and Joint incident.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.