Free1970 - stock.adobe.com

Ransomware Hits Scripps Health, Disrupting Critical Care, Online Portal

Scripps Health is operating under EHR downtime and diverting some critical care after a ransomware attack over the weekend; a third-party incident, employee error, phishing, email hacks, and another Netgain victim complete this week’s breach roundup.

Scripps Health in San Diego was hit by a ransomware attack over the weekend, forcing the health system into EHR downtime. Some critical care patients were diverted and the online patient portal has been taken offline, according to local news outlet San Diego Union-Tribune.

Monday appointments were also postponed due to the cyberattack, which disrupted operations at two of Scripps’ four main hospitals and backup servers that reside in Arizona. Providers and other clinicians are leveraging paper records, as telemetry has been impacted at most care sites. Access to medical imaging also appears to be down.

Reports say all four hospitals in Encinitas, La Jolla, San Diego, and Chula Vista were placed on emergency care diversion for stroke and heart attack patients, who were diverted to other medical centers when possible. All trauma patients were also diverted.

The Scripps website was also down, at the time of publication. Outpatient urgent care centers, Scripps HealthExpress locations, and emergency departments remain open and are accepting patients.

Law enforcement and appropriate government agencies have been notified. This piece will be updated as more information becomes available.

PA Health Dept. Contact Tracing Data Leaked by Third-Party Vendor Error

The data of 72,000 individuals who used the Pennsylvania Health Department’s contact tracing app was exposed, after a third-party error. The vendor, Insights Global, was contracted by the state health department for contact tracing services.

On April 21,Insight Global leadership discovered that certain employees set up and used several different Google accounts to share information, including documents related to the collection of contact tracing. 

The unauthorized collaboration channel likely made the data vulnerable to exposure. Officials immediately took steps to prevent further access to or disclosure of more information, which was completed two days after the discovery.

An investigation into the incident determined that some personal information related to COVID-19 contact tracing Pennsylvania, collected by employees, may have been accessible to individuals outside of authorized employees and public health officials.

For now, it appears the compromised data included the names of individuals who were potentially exposed to COVID-19, positive or negative test results, any experienced symptoms, household members, and some contact information for those with specific social support service needs.

The potential exposure occurred between September 2020 and April 21, when it was discovered. However, only a portion of individuals contacted during the seven-month exposure period were impacted.

Impact Global did not collect Social Security numbers, financial account information, or payment data, and thus, the data was not involved in the incident. The vendor has been working with a third-party IT security firm and the state to determine the scope of the incident and the identification of individuals whose data may have been impacted.

All affected individuals will receive complimentary credit monitoring and identity protection services.

“Written protocols and policies only go so far, and can be easily circumvented unless there are controls in place to prevent careless or malicious activities,” Samantha Humphries, Exabeam security strategist told HealthITSecurity.com, in an email.

“Furthermore, without secure business processes and tooling in place to support employees, there is a risk that they may decide to disregard policy in favor of taking a quicker or easier option,” she added. 

To combat this, Humphries stressed the need for entities to ensure business requirements are balanced with security needs, including the correct monitoring and controls to protect sensitive data from unauthorized access.

Wyoming Health Dept. Employee Error Exposes Data of 164K Patients

About 164,021 patients of the Wyoming Health Department were recently notified that their data was exposed, after an employee accidentally exposed their protected health information online.

On March 10, officials discovered that an employee unintentionally uploaded 53 files containing COVID-19 and influenza test result data and one file containing breath alcohol test results to private and public Github storage data repositories.

The incident resulted in the data being made available to those without authorization and began as early as November 5, 2020.

The exposed health data included COVID-19 test results electronically reported to the health department, including patient IDs, contact information, dates of birth, test results, and dates of service. No SSNs, banking details, financial data, or health insurance information was compromised.

“While WDH staff intended to use this software service only for code storage and maintenance rather than to maintain files containing health information, a significant and very unfortunate error was made when the test result data was also uploaded to GitHub.com,” Michael Ceballos, WDH director, said in a statement.”

“We are taking this situation very seriously and extend a sincere apology to anyone affected. We are committed to being open about the situation and to offering our help,” he added.

The health department has since removed the impacted files from the site, and GitHub destroyed any dangling data from their servers. Officials said they’ve since revised policies to include prohibiting the use of GitHub or other public repositories. 

The workforce has also been retrained on security policies and procedures.

Health Center Partners Added to Netgain Victims

The data of 293,516 Health Center Partners of Southern California patients was compromised during a ransomware attack on Netgain Technology in September 2020.

HCP supports community health centers with a variety of services, including San Ysidro Health, which also sent breach notices tied to the Netgain incident last week.

Netgain notified HCP that an attacker gained access to the vendor’ environment between October 22 and December 3, 2020. During that time, the actors stole a trove of provider data, including patient information belonging to HCP.

Netgain paid the ransom “in exchange for assurances that the attacker will delete all copies of this data and that it will not publish, sell, or otherwise disclose the data.” The vendor has continued to monitor dark web channels to ensure the data has not been disclosed.

So far, the attackers have upheld the agreement. However, it’s important to note that Coveware has routinely stressed that victims should not pay the attackers, as they more often than not, cannot be trusted.

HCP launched its own investigation into the incident alongside assistance from outside cybersecurity leaders, including a review of the impacted files to determine the scope of the incident. The information varied by patient but included SSNs. The remaining data was not disclosed in the notice.

The Netgain incident is behind some of the largest healthcare data breaches reported in 2021, so far.

The previously disclosed victims include Ramsey County’s Family Health Division (8,700 individuals), Elara Caring (100,487 individuals), Woodcreek Provider Services (207,000), Apple Valley Clinic (157,939 individuals), and Sandhills Medical Foundation (39,602 individuals).

HME Specialists Email Hack Impacts 153K Patients

New Mexico-based HME Specialists recently notified 153,013 patients that their data was potentially compromised after the hack of several employee email accounts.

The notice does not detail when the security incident was first discovered. Rather, an investigation concluded on March 11 that the hacked accounts contained patient information, and that the attackers had access to the accounts for nearly a month between June 24, 2020 and July 14, 2020.

The accounts contained personal and protected health information that varied by patient but could involve names, dates of birth, diagnoses, and or clinical data. For a smaller subset of patients, SSNs, driver’s license numbers, financial account information, credit card numbers, and usernames and passwords were compromised.

Patients whose SSNs were compromised will receive a year of free credit monitoring.

HME has since bolstered its technical safeguards on its email system, implemented multi-factor authentication, and retrained employees on detecting malicious emails to reduce the risk to the enterprise.

Phishing Attack on RiverSpring Health 

The data of 31,195 patients of RiverSpring Health in New York was recently compromised after a successful phishing attack on one employee email account in September 2020.

A hacker gained access to an employee email account on September 14, 2020 through the phishing attack, which installed malware and led to the access and removal of data from the impacted account.

The attack was detected and the access blocked on September 15, 2020, by the removal of the malware and a credential reset. The investigation concluded on February 17 that personal data may have been accessed during the incident.

It’s important to note that under HIPAA, breach notifications are required within 60 days of detection, not after the close of an investigation.

The compromised data varied by patient and could include demographic details, contact information, member IDs, Medicaid IDs and or SSNs, and references to medical information, like provider names. No credit card or financial information was impacted.

RiverSpring has since implemented enhanced software protections to defend against future attacks and retrained employees to better identify and report phishing emails.

MailMyPrescriptions.com Email Hack Impacts 31K Individuals

An email hack of pharmaceutical company MailMyPrescriptions.com potentially compromised the data of 31,195 individuals.

Discovered on November 24, 2020, an attacker gained access to one employee email account. In response, the account was quickly secured and an investigation was launched with assistance from an outside cybersecurity firm.

The investigation concluded on January 15, which led to an account review to determine just what information was impacted during the hack. The review ended on February 17 and found the data may have been viewed during the incident.

The compromised data impacted a limited amount of protected health information belonging to both current and former customers, including full names combined with one or more data elements, such as prescription information, treatments, diagnoses, and health insurance information.

The pharmacy company has since implemented additional security measures to prevent a recurrence.

Next Steps

Dig Deeper on Healthcare data breaches