Getty Images

UPDATE: UHS Health System Confirms All US Sites Affected by Ransomware Attack

In an Oct. 3 update, the UHS health system confirms all US sites were impacted by the ransomware attack that struck more than a week ago; phishing incidents and more ransomware attacks complete this week’s breach roundup.

Universal Health Services, one of the largest US health systems, confirmed on October 3 that the ransomware attack reported last week has affected all of its US care sites and hospitals, spurring clinicians into EHR downtime procedures.

In an October 5 update, UHS officials said: "The UHS IT Network has been restored and applications are in the process of being reconnected. The recovery process has been completed for all servers at the corporate data center and connectivity has been re-established for all U.S.-based inpatient facilities."

"Our major information systems such as the electronic medical record (EMR) were not directly impacted," officials said in a statement. "W2e are in the process of restoring connections to these systems and back-loading data from the past week."

"More than half of our Acute Care hospitals are live already or scheduled to be live by the end of today," they added. "UHS has deployed a significant number of IT and clinical resources to the hospitals, to support the resumption of online operations. The go-lives will continue on a rolling basis; in the meantime, those working toward go-live are continuing to use their established back-up processes including offline documentation methods."

Hackers launched the cyberattack around 2AM Sunday, September 27, which prompted a number of staff members and clinicians from around the country to take to Reddit to determine the scope of the attack. The thread detailed outages to computer systems, phone services, the internet, and data centers. 

Some hospitals diverted ambulances during the initial stages of the attack, and some lab test results were delayed. According to staff, the attack began shutting down systems in the emergency department and proliferating across the network. Staff took screenshots of the incident and confirmed it was ransomware. The notorious Ryuk variant is suspected. 

UHS officials reported the incident as an IT disruption the following day and has since updated the notification to confirm it was a malware cyberattack. 

“All systems were quickly disconnected, and the network was shut down in order to prevent further propagation,” officials explained in the statement. “The UHS IT Network is in the process of being restored and applications are being reconnected.” 

“The recovery process has been completed for all servers at the corporate data center. All US-based inpatient facilities have connectivity established back to the corporate data center and are in process of securely connecting to those systems,” they added. 

Officials also noted that the electronic medical record was not directly impacted by the ransomware, nor were the UK-based sites. The restoration efforts are focused on the connections to the EMR system. Clinicians are continuing to operate under back-up processes, including offline documentation methods. 

Patient care is safely and effectively continuing amid the recovery efforts, officials added. The notification did not detail the ransomware variant, nor when the recovery efforts would conclude. A Coveware report showed ransomware attacks spur 15 days of EHR downtime, on average.

This story has been updated with the latest UHS recovery efforts.

MU Health Care Reports Phishing Attack Impacting 189K

For the second time in just a year, the University of Missouri Health Care reported that a phishing attack has caused a data breach, impacting 189,736 patients. 

In 2019, MU Health Care reported two employee email accounts were hacked for more than a week between April 23 and May 1, 2019, which compromised the data of 14,000 patients. The hacker was able to gain access to a trove of data, including health insurance details, clinical and treatment information, and some Social Security numbers. The breach victims soon filed a lawsuit

The latest breach was caused by a successful phishing attack, which occurred between May 4 and May 6. And much like its last breach notification, the provider is yet again notifying patients far beyond the HIPAA-required timeframe of 60 days between the discovery of the breach and patient notifications. 

The investigation into the cyberattack concluded on August 28 and found the hacker could have potentially accessed the data contained in the accounts, including names, dates of birth, medical record or patient account numbers, health insurance information, and or limited clinical or treatment data, such as diagnostics, prescriptions, and procedure information. 

Some Social Security numbers were also compromised. Those patients will receive free credit monitoring and identity protection services. 

In response to this latest breach, MU Health Care has implemented additional security enhancements to its email environment and reinforced staff security training. Notably, the notification does not specify whether it will update its email policies in regard to storing patient data in its email accounts. 

Oaklawn Hospital Phishing Attack Impacts 27K Patients

Michigan-based Oaklawn Hospital recently notified 26,861 patients that their data was potentially breached after a two-day phishing attack in April. The provider did not disclose when the attack was first discovered. 

The investigation concluded on July 28, finding the attackers gained access to multiple email accounts after employees responded to phishing emails with their credentials. 

The review found the accounts contained a range of patient information, including medical data, health insurance details, and dates of birth. For a limited number of patients, Social Security numbers, driver’s licenses, and financial account information was compromised. 

Further, the provider explained the delay in notification was caused by the extensive manual document review of each impacted email account. Oaklawn has since implemented multi-factor authentication, among other cybersecurity measures. 

Ransomware Hackers Hit eResearchTechnology

Cybercriminals have successfully launched a ransomware attack against eResearchTechnology, a health tech firm working on COVID-19 clinical trials, according to an exclusive New York Times report. 

First discovered by employees who were locked out of their data, the attack lasted for about two weeks and slowed some of those trials. Officials stressed the clinical trial patients were not at risk, but trial researchers were forced to track data with pen and paper as the IT team worked to recover the systems. 

The attack impacted some clinical trials, including IQVIA, the contract research firm managing the AstraZeneca COVID-19 vaccine trial and Bristol Myers Squibb, the drug manufacturer leading several companies in the development of a faster COVID-19 test. 

ERT did not disclose how many trials were affected by the event. On Friday, some systems were back online, and officials said they predict the remaining systems will be brought online within the next few days. 

Federal agencies and security researchers have repeatedly warned that hackers are targeting COVID-19 data. Threat actors have launched attacks against the World Health Organization and have successfully attacked several COVID-19 research firms in recent months. 

A July report from BitSight found many biomedical, healthcare, pharmaceutical, and other academic research firms publicly working on the development of a COVID-19 vaccine are operating on systems with known security issues and other vulnerabilities. 

NetWalker Ransomware Actors Post Data From Medical Manufacturer

The hackers behind the NetWalker ransomware variant have again posted data allegedly stolen from a healthcare entity. The latest dark web posting shows data from Sientra, a medical manufacturer of breast implants. 

In screenshots shared with HealthITSecurity.com, the proofs show a host of files allegedly stolen from Sientra, such as analytics data, clinical operations information, customer service details, finance documents, business agreements, and a host of other files. 

The proofs also contain test order information for employees, including names, contact details, collection sites, and sensitive testing results, including drug use. 

A range of ransomware actors have taken to these double extortion methods, with the frequency of attacks on healthcare rapidly increasing during the summer. Just last month, NetWalker, REvil, SunCrypt, and Pysa, or Mespinoza hackers posted data allegedly stolen during five separate attacks on healthcare entities.

Next Steps

Dig Deeper on Healthcare data breaches