kokotewan - stock.adobe.com
Health Plans, Laboratories, Health Departments Hit by Healthcare Data Breaches
Recent healthcare data breach notifications came from a health plan, a cancer testing laboratory, a hematology center, and a Washington health department.
Healthcare data breaches continue to impact hospitals and health systems, but cyberattacks at health plans and specialty clinics are also increasing as threat actors set their sights on smaller and less obvious targets.
A recent report by Critical Insight found that cyberattacks targeted at health plans and third-party business associates increased last year, while attacks against healthcare providers dipped slightly.
Some of the most recent healthcare data breach disclosures, outlined below, exemplify the wide variety of organization types that are facing data breaches and cyberattacks.
Cancer Testing Laboratory Faces Cyberattack
Cytometry Specialists, also known as CSI Laboratories, began notifying patients of a February cyberattack that disrupted the cancer testing lab’s information systems. CSI discovered the cyberattack on February 12 and took steps to isolate its systems.
On February 25, CSI learned that an unauthorized actor acquired files from its systems containing limited patient information, including names, birth dates, medical record numbers, health insurance information, and case numbers.
Although the notice suggested that the actor exfiltrated data, CSI assured patients that it would be highly unlikely that anyone could use their data in the future.
“At this time, CSI has no facts suggesting that any of the information has been further used and in some cases, it will be very difficult, if not impossible, for anyone to further use the information that was accessed,” CSI explained.
CSI Laboratories said it will improve security across its networks to prevent future cyberattacks.
Spokane Regional Health District Suffers Phishing Attack
Spokane Regional Health District (SRHD) said it suffered a phishing attack that potentially exposed the personal information of 1,260 individuals. SRHD IT staff discovered a phishing email on February 24 and found that an unauthorized actor potentially previewed some protected health information.
For 1,060 individuals, the unauthorized actor potentially viewed names, test results, birth dates, client notes, and other highly specific health information, including diagnosing state, patient risk level, baby delivery date, and medication information.
For the remaining 200 individuals, names, birth dates, phone numbers, shelter locations, test dates, and notes were potentially exposed.
“Much like the rest of the state of Washington, SRHD has experienced a record-level spike in phishing emails and malware installation attempts. In this instance, staff fell prey to a phishing scam which exposed confidential information to data thieves,” Lola Phillips, SRHD deputy administrative officer, said in the statement.
“We have a strong commitment to safeguard your personal information, and we are working diligently to reduce the likelihood of future events.”
Philips said that SRHD has since implemented corrective actions and reinforced cybersecurity training. The department also implemented multi-factor authentication.
“We are committed to protecting the information of our clients and sincerely apologize for this incident,” Phillips said.
Michigan Cancer and Hematology Center Ransomware Attack Impacts 43K
Cancer and Hematology Centers of Western Michigan fell victim to a ransomware attack that impacted 43,071 individuals, according to the Office for Civil Rights (OCR) data breach portal.
An announcement on the organization’s website stated that the incident occurred in late December and “affected a portion of our database.”
Cancer and Hematology Centers of Western Michigan said that unauthorized actors potentially accessed names and certain components of patients’ health records. For employees, the actors potentially accessed Social Security numbers and bank information.
The organization reported the incident to the FBI and worked with forensic teams to secure systems and determine the extent of the attack.
“Even one instance is one too many, and we have taken additional steps to strengthen our data security procedures. These include enhancing our security procedures, decommissioning several servers, mandating additional training, reviewing our policies and contracting with a third party for ongoing security monitoring,” the notice stated.
“Events of this nature are affecting an increasing number of companies in the U.S. and around the world. The federal government, law enforcement, and industry experts are working in tandem to address this activity.”
CareOregon Advantage Breach Impacts 10K
Oregon health plan CareOregon Advantage notified 10,467 past and current members of a data breach that potentially exposed protected health information.
On January 27, a contracted consultant who was not authorized to view PHI received an email attachment containing PHI. CareOregon Advantage said that the consultant immediately notified the organization and destroyed the document.
The document contained member names, Medicare and Medicaid ID numbers, and birth dates.
“CareOregon investigated this incident. Based on this review, we believe that this incident poses a low risk of fraud and/or identity theft,” the notice stated.
“Additionally, the investigation confirmed that the organization has the correct policies and procedures in place to address this type of breach and those processes are reviewed yearly. We’ve provided additional training to the employee to make sure this doesn’t happen again.”