Getty Images

Mid-Size Orgs Continue to Be Targeted in Healthcare Cyberattacks

Small to mid-size organizations and outpatient facilities continue to be targets for healthcare cyberattacks that often lead to PHI exposure.

Healthcare cyberattacks continue to plague small and mid-size organizations and outpatient facilities as larger health systems implement safeguards that make attacks more challenging.

Trends on the Office for Civil Rights (OCR) data breach portal show a multitude of cyberattacks on smaller healthcare organizations that may not have the resources to effectively fight back.

Recently discovered cyber incidents include a ransomware attack on a Pennsylvania primary care clinic and data exfiltration and encryption at a family of neuromonitoring practices.

Pennsylvania Primary Care Clinic Hit with Ransomware

Pennsylvania-based TriValley Primary Care began notifying an undisclosed number of patients that their protected health information (PHI) was potentially exposed in a recent cybersecurity incident.

TriValley discovered a ransomware attack on October 11 that impacted its networks and servers containing PHI. The primary care provider concluded its investigation on November 4 and determined that an unauthorized individual accessed TriValley’s systems and possibly obtained PHI.

“The forensic analysis could not definitively determine when the unauthorized individual initially got into the systems or the specific records and data that were accessed or obtained,” the statement explained.

“As of now, TriValley has no evidence indicating any misuse of protected information.”

The investigation could not determine when the individual gained access to the systems or what specific records were accessed or obtained. TriValley recommended that impacted individuals take steps to protect their information and is offering free credit monitoring and identity theft protection services.

“TriValley is implementing additional safeguards to its existing cybersecurity infrastructure and enhancing their employee cybersecurity training,” the statement concluded.

“Further, TriValley is working with external cybersecurity experts to improve its cybersecurity policies, procedures, and protocols to help minimize the likelihood of this type of incident occurring again.”

NM Health Plan Data Breach Impacts 63K

True Heath New Mexico (THNM) experienced a data breach that impacted 62,983 individuals, including current and former THNM members, select providers, and former members of New Mexico Health Connections.

THNM discovered suspicious activity on October 5 and subsequently retained external cybersecurity professionals to investigate. The investigators determined that an unauthorized individual gained access to the health plan’s IT systems and may have had access to files containing names, birth dates, addresses, medical information, insurance information, Social Security numbers, provider information, dates of service, health account member IDs, and provider identification numbers.

True Health said it mailed letters directly to the impacted individuals. Impacted individuals are eligible for a complimentary 24-month credit monitoring service membership.

“THNM takes the security of your personal information very seriously. Therefore, upon discovering the incident, we promptly took steps to secure and contain the impacted THNM systems and supplemented our internal response teams with external cybersecurity professionals and other outside experts,” the statement explained.

“We shut down certain systems where necessary, took other preventative measures, and supplemented our existing security monitoring, scanning, and protective measures. Through these efforts, True Health quickly restored its principal operations with no material day-to-day impact to operations. We are working with law enforcement officials on their ongoing criminal investigation of this matter.”

Medsurant Data Breach Impacts 45K, Still Determining Who to Notify

Medsurant Holdings, a family of neuromonitoring practices across the US, posted a notice on its website alerting individuals to a data security incident that may have impacted patient PHI. According to OCR, the incident impacted 45,000 individuals.

Medsurant said it received a suspicious email on September 30 from a bad actor who said that they removed data from the Medsurant environment. Further investigation revealed that the unknown actor had access to the systems between September 23 and November 12, and some data was exfiltrated. Other data was encrypted and later restored.

“Medsurant is in the process of performing a review of the information impacted to identify the individuals whose information may have been compromised by the unknown actor,” the statement explained.

“Once this review is complete, Medsurant will then work to determine the identities and contact information for potentially impacted individuals and provide notice via written letter.”

The bad actor may have accessed patient files containing names, addresses, diagnoses, birth dates, Social Security numbers, and claims information.

Planned Parenthood LA Data Breach Impacts 400K Patients

A Hacker gained access to Planned Parenthood Los Angeles’s (PPLA) network between October 9 and October 17, The Washington Post reported. The hacker installed malicious software, exfiltrated files, and impacted 400,000 patients.

PPLA found suspicious activity on October 17 and immediately took their systems offline, a letter sent to patients on November 30 stated.

“On November 4, 2021, we identified files that contained your name and one or more of the following: address, insurance information, date of birth, and clinical information, such as diagnosis, procedure, and/or prescription information,” the letter continued.

The breach only impacted the Los Angeles branch of Planned Parenthood, and it remains unclear what the hacker’s motives were.

CO Neurosurgical and Spine Provider Breach Impacts 21K

Boulder Neurosurgical & Spine Associates (BNA) experienced a data breach that impacted 21,450, according to the OCR data breach portal. At the time of publication, BNA has not posted a notice on its website.

“On September 21, 2021, BNA detected a compromise to one of its business email accounts,” the company told BizWest.

“BNA quickly engaged cyber security experts and a leading incident response team to secure the subject email account, assess the extent of the unauthorized activity, and remediate any damage caused by the incident. A third-party IT forensic firm also launched an investigation to determine what, if any, information could have been compromised in the incident.”

The compromised data may have included names, medical records, and birth dates. Addresses and Social Security numbers were not impacted, and BNA told BizWest that it has notified impacted individuals.

Next Steps

Dig Deeper on Healthcare data breaches