Getty Images/iStockphoto

207K Rehoboth McKinley Patients Tied to Conti Ransomware, Data Leak

Rehoboth McKinley Christian Health notifies patients, after Conti ransomware actors leaked their data two months ago; CaptureRx breach, data leak, a programming error, an email hack, and Netgain victims, complete this week’s breach roundup.

Two months after the Conti ransomware hacking group leaked data they claim to have stolen from Rehoboth McKinley Christian Health Care Services (RMCHCS), 207,195 patients are being notified of the attempted data extortion stemming from their personal information.

As the FBI recently warned, the Conti group has been actively targeting the healthcare sector for the last year, claiming at least 16 healthcare-related entities.

In mid-February, Conti actors posted 2 percent of the overall data they asserted came from a hack on the New Mexico provider. The dark web posting included files titled 'passports', 'driver’s licenses', and 'bill of sale'.

At the time, the threat actors’ legitimate internet posting, examined by HealthITSecurity.com, showed complete, scanned documents in their entirety -- unredacted and without restrictions. The post included scans of patient documents, including patient treatments, diagnoses, and similarly sensitive information, including echocardiogram reports.

The notice explains that RMCHCS learned of the data leak on the same day as the public. Officials said they found that patient information had been removed from its network, after an ongoing hack that the security team was already investigating at the time of the leak.

The cyberattack drove RMCHCS into EHR downtime procedures, raising several concerns as the nonprofit hospital serves the Navajo nation, which was ravaged by the pandemic.

The hospital lost access to patient records and other computer systems during the attack. At the time, officials said the hospital was continuing to provide patient care without disruption.

After the exposure and attack, RMCHCS employed a third-party forensic firm to assist with the remediation efforts and investigation. The review found the attackers first gained access to the system on January 21, proliferating across the network for about two weeks until February 5.

During that time, the Conti actors gathered patient-related information and removed it from the network. On April 5, the investigators determined just what individuals were impacted by the hack.

The notice confirms that the hackers gained access to and stole highly sensitive patient data, including Social Security numbers, passports, health insurance information, contact details, medical information, records numbers, financial account information, and other data.

All impacted patients will receive free identity monitoring and restoration services. RMCHCS notified law enforcement after the incident, and following the online data leak, the FBI launched its own investigation. The notice does not inform patients of these elements and the potential impact of the data leak. 

RMCHCS has since improved its security and monitoring, as well as hardened defense to prevent a recurrence.

CaptureRx Breach Tally: More than 1.6M Patients Impacted

The CaptureRX data breach tally has been reported to the Department of Health and Human Services as impacting 1.66 million patients.

As more information becomes available, the impact of the CaptureRx incident is on par with the Accellion FTA hack. Both vendor breaches are easily the two largest data breaches in the healthcare sector this year, so far.

As previously reported, the vendor was hit with a ransomware attack in February 2021 and affected the data of multiple healthcare clients.

Its notice did not detail when it first discovered the intrusion but that the investigation concluded in February, after the attacker accessed and stole information from its system. Officials said the impacted data included patient names, dates of birth,and prescription information.

CaptureRx is reviewing its security policies and enhancing its security processes, in addition to retraining its staff.

For now, the HHS-reported impacted healthcare entities include:

- Faxton St. Luke’s Healthcare (17,655)

- Jordan Valley Community Health Center (12,000)

- Trinity Health System - Twin City (9,579)

- Hudson Headwaters Health Network (8,100)

- UPMC Cole (7,376)

- Gifford Health Care in Vermont (6,777)

- Ascension St. Joseph Hospital (5,807)

- Brownsville Community Health Center in Texas (4,258)

- Thrifty Drug Stores (3,958)

- Ascension St. Agnes Healthcare (2,821)

- Hidalgo Medical Services (2,179)

- Our Lady of Lourdes Memorial Hospital (1,745)

- Ascension Standish Hospital (1,705)

Prestige Medical Reports Avaddon Data Leak to HHS

Prestige Medical Group has reported a data breach to HHS as impacting 34,203 patients. The notice stems from the previously reported data extortion attempt and leak by Avaddon ransomware threat actors in early April 2021.

Its website does not have a notice posted on the incident. But in April, Avaddon actors claimed they had obtained medical information tied to Prestige clients, doctor’s notes, employee information, and financial data from the provider, as well as other sensitive information.

Health Plan of San Joaquin Notifies 420K Individuals of October 2020 Email Hack

About 420,000 individuals tied to the Health Plan of San Joaquin (HPSJ) were recently notified that their data was potentially compromised after the hack of several employee email accounts in October 2020. The notice does not explain the delay in reporting.

First discovered on October 23, 2020, officials said an attacker gained access to multiple employee email accounts for several weeks between September 26 and October 12, 2020. The actor logged into these accounts and accessed the information the accounts contained.

Upon discovery, HPSJ changed all email passwords to block the account access and launched a review to determine if any information was impacted during the incident. The notice does not explain if the investigation found any evidence of access or other nefarious activity.

The accounts contained information that varied by individual and could include member names, member ID numbers, claim ID numbers, dates of birth, lab results, medical ID numbers, prescriptions, treatments, driver’s licenses, government-issued IDs, financial account details, health insurance information, record numbers, username and passwords, and SSNs.

More Providers Added to Netgain Incident

SAC Health Systems and San Diego Family Care (SDFC) recently reported to HHS that their patient information was compromised by the ransomware attack on third-party tech services vendor Netgain in late 2020.

The first breach notices stemming from the Netgain incident were released in early February 2021. At the time, officials from Ramsey County, Minnesota reported that Netgain informed them of the security incident in December 2020.

A hacker had attempted to extort a ransom demand from Netgain, after exploiting an application used by Netgain’s clients. Just 8,700 Ramsey County residents were impacted by the incident, but other clients soon began reporting the incident and the impact expanded.

About 300,000 patients of Woodcreek Provider Services and Elara Caring were affected by the hack, as well as 157,939 patients of Allina Health’s Apple Valley Clinic. The affected patients also included 293,516 from Health Center Partners of Southern California, a business associate of SDFC.

The latest notices from SAC Health and SDFC show 28,128 SAC patients were included in the compromise, as well as 125,500 SDFC patients.

The compromised data varies by patient and could include names, contact details, SSNs, driver’s licenses, state IDs, tax identification numbers, electronic signatures, financial account information, health insurance policy numbers, subscriber numbers, and other medical data.

SAC Health also ceased using Netgain as a vendor as a result of the ransomware incident.

ZocDoc Programming Errors Exposes Data of 7,600 Patients

New York-based ZocDoc recently notified 7,600 patients that programming errors on its provider portal caused their data to be exposed for an undisclosed period of time, almost one year ago.

ZocDoc provides an online service that enables individuals to find and schedule in-person telemedicine appointments for both medical and dental healthcare. The impacted platform allows providers to list available appointment times, and each registered practice is allowed to access the ZocDoc system to view patient-inputted information.

In August 2020, officials said they learned programming errors within its platform allow current and former staff members to access the provider portal, after their access was intended to be limited, removed, or deleted.

The exposed data could include names, contact information, appointment history, and other sensitive information, including insurance member IDs, SSNs, and relevant medical history provided through ZocDoc.

ZocDoc does not collect or store credit card, radiological or diagnostic information, medical records, or other financial data.

Upon discovery, ZocDoc launched an investigation of its software and code, then repaired the programming errors. The impacted usernames and credentials can no longer access the platform. Officials said they’ve since bolstered the security practices.

Notably, the notice does not explain the near-year long wait between discovering the errors and notifying patients. Under HIPAA, covered entities and business associates are required to report data breaches impacting more than 500 patients in 60 days and without delay.

The medical practices impacted by these flaws have been notified and encouraged to conduct an internal assessment as “an additional precaution.”

Next Steps

Dig Deeper on Healthcare data breaches