aleksandar nakovski - stock.adob

PACS Vulnerability of Orthopedic Specialist Exposes Data From 28K

As previously reported, a PACS vulnerability at Mendelson Kornblum Orthopedic left patient data exposed; an email hack, cyberattacks, and vendor incident complete this week’s breach roundup.

Mendelson Kornblum Orthopedic and Spine Specialists recently notified more than 28,000 patients that their data was exposed due to a vulnerability in its Picture Archiving and Communication Systems (PACS).

In November, an exclusive HealthITSecurity.com report showed a number of US healthcare delivery organizations were leaking troves of medical images from PACS and DICOM flaws. The largest culprit was found to be Mendelson Kornblum.

Dirk Schrader, Global Vice President at New Net Technologies (NNT), found more than 820,000 patient records related to about 8 million medical images tied to Mendelson Kornblum. To identify the owner, Schrader leveraged SSL certification details and physician names on the vulnerable system.

According to Mendelson Kornblum’s notice, the provider became aware of the flaw on January 5 and launched an investigation. Officials said they took steps to address the vulnerability on the applicable server and enhanced existing security measures to prevent a recurrence.

The provider is unclear how long the data were exposed but the information included patient names, dates of birth, sex, and information around medical images, such as the dates and time of the image, the image number, and the body part imaged during the service. 

The medical images were not viewable, nor were any other diagnosis, treatment, Social Security numbers, or health insurance information.

104K Patients Impacted by Cancer Treatment Centers of America Email Hack

Cancer Treatment Centers of America is notifying 104,808 patients of its Midwestern Regional Medical Center in Chicago that their data was potentially compromised after the hack of an employee email account.

CTCA officials identified suspicious activity on the impacted account on January 18 and launched an investigation with assistance from an outside forensics firm. The audit determined that an attacker had access to the account for nearly a week, beginning on January 12.

Upon discovery, the account password and email credentials were changed. A review determined the account contained patient names, medical record numbers, health insurance details, CTCA account numbers, and some patient data. The account did not contain financial details or SSNs.

CTCA has since bolstered its security measures, as officials continue to evaluate the needed for further cybersecurity enhancements. The workforce has also received additional training on common threats.

Notably, this is the fourth email-related breach reported by CTCA within the last three years.

In December 2018, the CCTA Western Regional Medical Center reported a phishing-related incident impacting 41,948 patients. Again in March 2019, a hacker breached an employee email account at CCTA’s Southeastern Regional Medical Center through a phishing attack, gaining access to the account for several days.

Six months later, the Eastern Regional Medical Center branch of CCTA again reported an email hack that compromised the data of 3,904 patients.

Haven Behavioral Healthcare Reports Breach from September 2020

Pennsylvania-based Haven Behavioral Healthcare fell victim to a systems’ hack in September, which possibly led to the compromise of patient data. 

On September 27, unusual activity was detected on certain Haven systems. An investigation led by third-party forensics specialists determined some files were accessible to the intruder for three days, starting on September 24.

A review was conducted of the impacted system but officials were unable to verify just what files were accessed during the hack.

Remarkably, the notice provides scant details into just what occurred on the system, the potential data accessed, or just what the provider has done to prevent a recurrence. The notice also failed to explain why it was released well after the 60-day HIPAA requirement.

Cyberattack on Personal Touch Holding

Personal Touch Holding (PTHC), a healthcare business associate, is notifying a reported 753,107 patients and current and former employees that their data was potentially compromised during a cyberattack.

The notice provides scant details on just what occurred, only details into the impacted information. For patients, the breach may include names, contact details, dates of birth, SSNs, medical treatments, insurance cards, health plan benefit numbers, medical record numbers, and some financial data, including copies of checks, credit card numbers, and bank account details.

For members, the compromised data also includes names, contact details, dates of birth, SSNS, but also their clinical and medical data, credit card numbers and or banking information, if the member paid their Medicaid surplus through a check or credit card.

PTHC has been working with third-party forensic data analysts to determine the origin and scope of the cyberattack. The FBI has also been contacted. Officials said they’ve since implemented enhanced monitoring and alerting software.

This is the second data breach reported by PTHC in just over a year. A ransomware attack on its cloud-hosting vendor in December 2019 compromised the data of 150,479 patients from 16 different PTHC subsidiaries. 

Vendor Incident Impactes Data of Lexington Medical Center Patients

A server hack of Healthgrades Operating potentially compromised the data of patients from Wake Forest Baptist Health’s Lexington Medical Center (LMC). Healthgrades previously provided LMC with educational services for its patients and community.

Healthgrades notified LMC on January 29 that an attacker gained access to its archived server for 12 days between October 16 and October 28, 2020. The server contained LMC patient information in some backup files from the time Healthgrades provided LMC with services.

Upon discovery, LMC launched a review to determine the scope of the incident and found that the affected data was dated from mid-2010 to mid-2011.

The data included names, contact details, demographics, dates of birth, medical record numbers, SSNs, dates of service, patient types, and limited health data, like treatments, billing codes, and descriptions, along with a host of other sensitive data.

The provider has also since ensured Healthgrades no longer holds any patient data from LMC and confirmed no patient data will again be sent to the vendor.

Next Steps

Dig Deeper on Healthcare data breaches