Alex - stock.adobe.com

Outpatient Facilities Continue To Be Targeted In Healthcare Cyberattacks

Some cybercriminals shifted their targets to outpatient facilities and business associates rather than big health systems.

Outpatient facilities and business associates continue to be prime targets for healthcare cyberattacks. Large health systems tend to have more resources to combat cyberattacks, causing cybercriminals to instead target unsuspecting victims.

Florida Dermatology Practice Targeted in Cyberattack

Suncoast Skin Solutions in Florida revealed that it was the victim of a healthcare cyberattack that impacted over 57,000 individuals.

Suncoast discovered that some of its systems had been encrypted by an unauthorized third party on July 14, 2021. From July to November, Suncoast conducted a forensic investigation via a cybersecurity firm and did a preliminary review of its systems.

Names, clinical information, doctor’s notes, birth dates, and other limited treatment information may have been viewed by the third party.

“At this time, Suncoast has no reason to believe that any personal information of Suncoast’s patients has been misused as a result of this incident,” the notice stated.

“Out of an abundance of caution, Suncoast notified the patients potentially impacted by the incident.”

Since the incident Suncoast said it engaged a third-party vendor to review its cybersecurity practices and transferred all patient data to an encrypted system.

Jefferson Surgical Clinic Faces Cyberattack

Roanoke, Virginia-based Jefferson Surgical Clinic (JSC) began notifying over 170,000 individuals of a healthcare cyberattack, according to the Maine Attorney General’s Office.

On June 5, 2021, JSC discovered that an unauthorized third party had attempted to infiltrate the clinic’s network. JSC immediately contacted the FBI and launched an investigation with the help of forensic specialists, the letter to patients explained.

Exposed information may have included names, birth dates, treatment information, and Social Security numbers. Although the third party may have accessed this information, JSC said it had no evidence to indicate that any personal information would be misused.

“Unfortunately, [cyberattacks] such as this are becoming increasingly common worldwide and the healthcare industry has become particularly vulnerable,” the January 6 notice explained.

“We are doing everything we can to prevent a similar criminal attack such as this from happening again.”

It is unclear why JSC sent the letter to impacted individuals 7 months after the incident.

Threat Actors May Have Stolen PHI in August Memorial Health Cyberattack

Despite increased attacks on smaller healthcare organizations, larger health systems are still facing ransomware at high rates. Ohio-based Memorial Health System (MHS) confirmed that data may have been stolen in an August ransomware attack that impacted over 215,000 patients. MHS discovered malware on its systems on August 14, 2021. The ransomware attack led to significant cancellations and ambulance diversions. 

The threat actors may have viewed or acquired names, birth dates, patient account numbers, Social Security numbers, treatment information, and medical record numbers. Despite reporting that the threat actors may have stolen patient data, MHS said it had "no reason to believe that any identity theft or unauthorized use of the affected information occurred."

MHS said it improved its security measures and "took immediate steps to improve the security of our environment and increase our security posture."

Jefferson Health Cyberattack Exposes Patient Billing Info

Pennsylvania-based Jefferson Health posted a patient notice on its website regarding a November data breach involving patient billing information and protected health information (PHI).

The Office for Civil Rights (OCR) data breach portal lists two incidents, one at Thomas Jefferson University Hospital, and the other at Abington Memorial Hospital. Both organizations are part of Jefferson Health, and the links on each of their websites lead to the same data breach notification.

According to OCR, 3,475 individuals from Abington Memorial Hospital were impacted, and 5,239 individuals from Thomas Jefferson University Hospital were impacted.

On November 18, Jefferson health discovered that an unauthorized individual accessed an online health insurance portal and diverted wire payments intended for Jefferson Health. The health system said it immediately launched an investigation and worked with the health insurance company to resolve the incident.

“On November 22, 2021, we learned that in the process of carrying out this attempt, the unauthorized person obtained a remittance sheet that contained patient billing information, including names, month and year of birth, date(s) of service, treatment code, and treatment cost,” the notice explained.

Only patients whose information was on the remittance sheet were impacted by this incident. Jefferson Health said it will enhance its security protocols as a result of this incident.

Connecticut CPA Firm Faces PHI Breach

Healthcare business associate and CPA firm Fiondella, Milone & LaSaracina (FML) notified over 6,000 individuals of a data breach that may have exposed medical information and Social Security numbers.

The cyberattack occurred between September 9 and September 14, 2021. By early October, FML determined that cybercriminals had potentially copied some folders on its network.

FML could not determine exactly which documents were copied. As a result, the firm reviewed all potentially impacted folders. The folders mostly contained names and Social Security numbers, the notice stated.

For some individuals, ambulance trip information, billing information, remittance advice details, medical information, and payment information may have been exposed.

“Information security is one of FML’s highest priorities, and we have security measures in place to protect information in our care. We responded promptly when we discovered this incident by taking steps to secure our systems and commence a comprehensive investigation,” the notice continued.

“We are also reviewing and enhancing existing policies and procedures and implementing additional safeguards to further secure the information in our systems in the future. We reported this incident to federal law enforcement and are also notifying relevant regulatory authorities.”

Next Steps

Dig Deeper on Healthcare data breaches