Data of 50K PACE Program Patients Stolen from PeakTPA Cloud Servers

NetWalker hackers stole PACE program patient data from Peak PTA's cloud servers; ransomware, more Accellion victims, network hack, phishing, and a misconfiguration complete this week’s breach roundup.

Healthcare business associate Peak TPA is notifying 50,000 PACE program patients that their data was stolen from two of its cloud servers by an attacker. The third-party administrator supports claims management on behalf of PACE programs.

Peak TPA learned of the hack on December 31 and later determined NetWalker hackers were behind the attack. NetWalker was taken down in late January by federal agencies.

The investigation determined the hackers cracked into the cloud servers and obtained patient information, including names, contact details, Social Security numbers, PACE program IDs, diagnoses, and treatment data.

All impacted patients will receive three years of free identity monitoring, fraud consultation, and identity theft restoration services. Peak TPA has since bolstered its security to prevent a recurrence.

The attack also compromised data from at least one of Peak TPA’s clients, which also released a notice in the last week. Total Life Care was notified by Peak TPA that the hackers accessed patient names, dates of birth, contact information, SSNs, and diagnosis codes.

Ransomware Hits South Carolina Hospital in February

South Carolina-based Newberry County Memorial Hospital was hit with a ransomware attack during the last week of February, which caused technical issues on some of its servers and drove its care team into EHR downtime procedures.

Upon discovery, the hospital engaged with a third-party forensics response team for assistance with both the response and investigation. Law enforcement was also contacted, which is also investigating the incident.

Fortunately, the hospital had already established rigorous security measures and offline backup systems, which allowed the IT to readily restore the encrypted data from the unaffected servers. The investigation has so far found no evidence of access to patient data.

The latest update from local news outlet WSPA, shows the hospital has since recovered from the ransomware attack and is currently working on upgrading its security measures.

Arizona Complete Health Included in Accellion Hack

The impact of the Accellion File Transfer Appliance (FTA) continues to grow, with Arizona Complete Health (AzCH) recently notifying some of its plan members that their data was compromised and potentially stolen.

The Accellion incident was first disclosed in February, where several threat actors exploited unpatched vulnerabilities in the FTA to steal a massive amount of data from its clients as part of an extortion campaign.

Previous victims include Kroger, Centene, Trillium Community Health Plan, and SIU Medicine, among a host of others.

For AzCH, Accellion notified the health plan on January 25 that the hackers accessed and or saved plan member data between January 1 and January 25. The data included contact information, dates of birth, insurance ID numbers,and health information, such as medical conditions and treatments.

AzCH worked with Accellion to investigate, which is also working with law enforcement. The health plan has since stopped using Accellion’s services and removed all of its data from the system. Officials said they’re also reviewing data sharing processes to identify further risks.

Home Care Provider Reports Network Hack

Assistcare Home Health Services dba Preferred Home Care of New York is notifying an undisclosed number of patients that their data may have been compromised after a hack of its network in early January.

Discovered on January 9, Preferred Home identified a network disruption and launched a forensic investigation. Officials said they found an attacker gained access to the network and potentially acquired some personal information from January 8 to January 10.

The compromised information varied by patient but could include names, contact information, demographic details, dates of birth, financial data, including bank account numbers, SSNs, Medicaid numbers, and medical information, such as drug screens, vaccinations, worker’s compensation claims, and a trove of other sensitive information.

Patients whose SSNs were affected during the incident will receive free complimentary identity protection and credit monitoring services.

Phishing Incident Impacts 26K Colorado Retina Patients

Colorado Retina Associates (CRA) recently notified 26,609 patients that a phishing attack potentially led to an attacker copying their personal and health data.

First discovered on January 12, a hacker gained access to an employee email account and sent further phishing emails to the employee’s electronic contacts. CRA immediately secured the email account and the entire email environment, then launched an investigation.

An outside forensic computer firm was hired to assist in the investigation and to assess the scope of the breach. On February 24, the team determined the hacker accessed multiple email accounts and two accounts contained patient information.

The investigation determined the accounts may have involved syncing of the email account by the attack for 11 days between January 6 and January 17.

A further analysis of the accounts and email attachments could not fully determine the extent of the compromise or how much of the data was copied from the accounts. As some patient data could have been acquired, CRA is notifying all patients whose data was contained in the impacted accounts.

The accounts contained a range of data that varied by patient, including names, dates of birth, contact details, and clinical information, such as dates of service, diagnoses, lab results, medications, procedural data, and some health insurance, claims, billing, and payment data.

For a small fraction of patients, SSNs, driver’s licenses, financial accounts, or payment card information was involved.

CRA has since applied a password update to all authorized email accounts and updated how it authorizes individuals to gain access to employee accounts. Employees have also received further security awareness training.

Misconfiguration Leads to Mobile Anesthesiologists Breach

An unauthorized individual may have acquired patient data from Mobile Anesthesiologists, after a technical misconfiguration left the information exposed online.

The Chicago-based business associate learned of the incident around December 14, 2020 and launched an investigation with assistance from a third-party cybersecurity team. The investigation concluded on January 28, which found personal and protected health information was exposed and potentially acquired.

The compromised information included full names in combination with one or more data points, such as procedure types and dates, health insurance information, and dates of birth. SSNs and financial data were not impacted by the incident.

The notice does not detail the delay in reporting, as HIPAA requires breaches to be reported within 60 days of discovery -- not at the close of an investigation. Mobile Anesthesiologists has since corrected the misconfiguration.

Next Steps

Dig Deeper on Healthcare data breaches