kras99 - stock.adobe.com

Spoofing, Phishing, Ransomware Continue to Overwhelm Health Systems

One hospital is being inundated with reports of spoofed phone calls, as others deal with unauthorized email access, phishing, and ransomware.

Hospitals and health systems continue to face an overwhelming amount of cyberattacks, spoofing and phishing incidents, and breaches resulting from unauthorized email access.

Threat actors such as FIN12 and REvil/Sodinokibi are ramping up their attacks on the healthcare sector, adding an additional burden on providers in the middle of the pandemic.

To prevent, prepare, and effectively respond to security incidents, healthcare organizations should focus on improving cyber resiliency, investing in technical safeguards, and assessing third-party risks.

Henry Ford Health System Spoofing Incident Overwhelms Operators

Detroit-based Henry Ford Health System alerted patients to an ongoing phone spoofing scam that involves bad actors committing fraudulent phone calls with Henry Ford Macomb Hospital as the caller ID. Henry Ford operators have been fielding upwards of 200 calls per day from people who believe they have received calls from the hospital’s main phone number.

Some calls include the name of a former Henry Ford physician on the caller ID. Individuals who have answered the calls reported being told that they are owed money from the hospital, and the caller requests banking information in order to issue a refund.

“We don’t believe callers are identifying themselves as a representative of Henry Ford, but we are very concerned that scammers are using our number in a fraudulent way,” John Fowler, interim chief information privacy and security officer at Henry Ford, explained in the statement.

“This is extremely concerning. We want people to trust that when they get a call from Henry Ford, we are reaching out to them with important information about their health. And with hundreds of people calling each day simply because they think we’ve called them, our operators are facing some serious challenges.”

Henry Ford has since reported the spoofing incidents to the Federal Communications Commission (FCC) and urged call recipients to ignore calls from unknown numbers.

American Osteopathic Association Faces Data Theft Incident

Illinois-based American Osteopathic Association (AOA) began notifying individuals of a 2020 data theft incident that impacted 27,485 individuals, according to the Maine attorney general’s office.

AOA became aware of suspicious activity in late June of 2020 and immediately engaged with forensic investigators to determine the scope of the incident. The investigation revealed that an unauthorized malicious actor accessed and stole data from AOA’s systems.

Addresses, names, birth dates, Social Security numbers, financial account information, email addresses, usernames, and passwords were included in the stolen data. AOA determined the total number of impacted individuals on June 1, 2021.

“Like many businesses, the COVID-19 pandemic presented considerable challenges to AOA’s normal business operations,” AOA explained in its notice to patients.

“As a result, it has taken an extended time for AOA to identify the names and addresses of impacted individuals due to the pandemic’s impact on our staff’s working conditions, and their inability to be on location to identify all potentially impacted parties.”

AOA pledged to implement additional technical safeguards and employee training and is providing free credit monitoring to impacted individuals.

UF Health Faces Lawsuit After May Cyberattack Exposes Data of 700K Patients

Former patient Chrystal Holmes filed a lawsuit against UF Health Central Florida in the wake of a May 2021 data breach that put the data of 700,000 patients in jeopardy. The attack led to significant EHR downtime, and employees previously claimed that patient care was negatively impacted as a result.

The lawsuit alleged that UF Health failed to keep patient protected health information (PHI) and personally identifiable information (PII) safe and held patient data on its computer systems for longer than necessary, endangering the data further.

Both of the targeted hospitals, University of Florida Health Leesburg Hospital and The Villages Regional Hospital, allegedly had older computer systems than other UF hospitals.

“Until notified of the breach, Plaintiff and Class Members had no idea their PIT and PHI had been compromised, and that they were, and continue to be, at significant risk of identity theft and various other forms of personal, social, and financial harm,” the lawsuit alleged. “The risk will remain for their respective lifetimes.”

The lawsuit also alleged that the incident inflicted injury on the impacted individuals, including out-of-pocket expenses, lost or diminished value of PII and PHI, and continued risk to their PII and PHI.

“Plaintiff Holmes suffered lost time, annoyance, interference, and inconvenience as a result of the Cybersecurity Event and has anxiety and increased concerns for the loss of her privacy,” the lawsuit continued.

UF Health’s EHR system remained down for nearly a full month after the attack, and hospital staff resorted to using pen and paper to document patient care. UF Health has not responded to the pending litigation.

Former Employee Accesses, Shares PHI at NJ Hospital

University Hospital (UH) in Newark, New Jersey began notifying over 9,000 patients of a PHI breach that occurred between 2016 and 2017 when a former employee accessed and shared patient information with unauthorized individuals.

The hospital discovered the suspicious activity on August 24, 2021, years after the incident occurred.

“This former employee had authorized access to patient information to perform the essential functions of his/her job and exceeded the authorized use of that access. A criminal investigation is ongoing,” the hospital explained in its notice to patients.

The individual had continuous access to patient names, addresses, Social Security numbers, health insurance information, medical record numbers, clinical information, and birth dates.

“This incident did not affect all patients at UH; but only certain patients treated in the emergency department at UH following motor vehicle accidents between 2016 and 2017,” the statement continued.

Impacted individuals are eligible for one free year of credit monitoring and identity protection services, and UH said that it has since reviewed internal policies and updated staff training procedures.

Hackers Access Employee Email Accounts at UMass Memorial Health

Worcester, Massachusetts-based UMass Memorial Health informed individuals of an employee email account breach that occurred between June 2020 and January 2021.

UMass Memorial’s investigation was unable to determine whether the unauthorized bad actor viewed any emails or email attachments.

“Out of an abundance of caution, we reviewed all of the emails and attachments contained in the email accounts to determine if they contained any patient or health plan participant information,” the statement explained.

“This process has been time and labor intensive, but we wanted to be certain about what information was involved and to whom it pertained.”

The breached information potentially included names, dates of birth, medical record numbers, health insurance information, and treatment information. For health plan participants, names, subscriber ID numbers, and benefits election information may have been included. For others, Social Security numbers and driver’s license numbers were potentially exposed.

“We regret any concern or inconvenience this incident may cause, and we remain committed to protecting the confidentiality and security of our patients’ and health plan participants’ information,” the notice assured.

“To help prevent something like this from happening in the future, we have reinforced education with our staff regarding how to identify and avoid suspicious emails and are making additional security enhancements to our email environment, including enabling multifactor authentication.”

Next Steps

Dig Deeper on Healthcare data breaches