canjoena - stock.adobe.com

Trillium, SIU Medicine Added to Tally of Accellion FTA Breach Victims

Trillium and SIU Medicine reported their data was included in the Accellion FTA exploit; ransomware, email hacks, and insider wrongdoing complete this week’s breach roundup.

Trillium Community Health Plan and the Southern Illinois University School of Medicine recently reported some of their patient data was involved in the exploit of Accellion’s File Transfer Appliance (FTA), which has already claimed a long list of victims, including Centene and Kroger.

Attackers successfully exploited several zero-day vulnerabilities in the FTA platform in combination with a new webshell, which allowed the hackers to gain access to at least 100 companies and to steal data.

The Clop ransomware threat actors appear to be behind the attack, posting troves of data from victims in a large extortion effort.

On January 25, Accellion notified Trillium that their data was impacted by the exploit. The attacker was able to view or save the health plan’s files stored by Accellion between January 7 and January 25, 2021.

The compromised data included contact information, insurance ID numbers, dates of birth, and health information, such as medical conditions and treatments.

Trillium has stopped using Accellion’s services and removed all of the data from its system. Officials said they’ve also reviewed data sharing processes to ensure they’re protected against similar attacks.

For SIU, the hackers accessed the vulnerable FTA containing the School of Medicine’s data for short periods of time on December 24, January 20, and January 21. Upon discovery, officials said they closed off access to the service, contacted law enforcement, and launched a review.

The investigation was supported by an outside forensic security firm, which confirmed access did occur.  A review found the documents contained personal data and PHI that varied by patient, but could include names, dates of birth, Social Security Numbers, driver’s licenses, treatments, and insurance information.

SIU has also since terminated use of the vulnerable FTA service. Those individuals whose SSNs and or driver’s licenses were exposed will receive complimentary identity theft protection services.

The Accellion incident is just one of several massive supply-chain attacks reported in the last few months. Hackers have exploited vulnerabilities in Verkada security cameras and Microsoft Exchange, as well the massive SolarWinds exploit that resulted in a trojanized software update.

Sandhills Medical Data Impacted by Vendor Ransomware Attack

Sandhills Medical Foundation is notifying an undisclosed number of patients that their data was stolen prior to a ransomware attack on its third-party vendor, which provides Sandhills with electronic data storage for some of its scheduling, billing, and reporting systems.

The vendor first notified Sandhills of the ransomware attack on January 8, which impacted the provider’s systems and the stored data. The vendor’s investigation determined the hackers used compromised credentials to access the system on September 23, 2020.

Access to Sandhills’ system began on November 15, and the hackers exfiltrated Sandhills’ data prior to the ransomware deployment on December 3.

The stolen data included patient names, SSNs, dates of birth, contact information, driver’s licenses, and claims data that could be used to determine patient diagnoses and conditions. Patient medical records, lab results, medications, credit cards, and bank account details were not impacted.

The vendor paid the hackers’ ransom demand to return the stolen data and “received assurances that the data was deleted or destroyed. However, reports show that it’s getting difficult to trust these assurances, as hackers may falsify this information.

The vendor has since bolstered its security measures. Sandhills reported the breach to the Office for Civil Rights, state regulatory agencies, and the national credit reporting agencies.

The notice bears similarities and timeframes to the Netgain ransomware attack, which impacted individuals from Ramsey County, Minnesota and Woodcreek Provider Services.

New London Hospital Reports Breach From July 2020

About 34,878 patients of New London Hospital in New Hampshire are being notified their data was potentially compromised by a breach that occurred more than six months ago in July 2020.

It’s unclear when the security incident was first discovered, but the notice explained that an unauthorized party gained access to a file on the NLH network “for a short period of time” on July 30, 2020.

The investigation concluded on February 16, which confirmed the compromised file contained patient information, such as names, demographic details, and SSNs. The file did not include diagnoses, treatments, medications, or hospitalization information.

Under HIPAA, healthcare entities are required to report breaches of protected health information within 60 days of discovery -- not at the close of an investigation.

The breached network system is no longer in use at the hospital. The notice provides scarce details on just how the intruder broke into the network and just how long the unauthorized access occurred.

ProPath Reports Employee Email Hack

The hack of two employee email accounts belonging to ProPath led to the compromise of some patient data for more than four months in 2020.

The impacted accounts were secured and mandatory password resets were enforced, upon discovery. The notice does not disclose when the hack was first discovered, just that the investigation determined the extent of the hack on January 28, 2021.

An investigation, led with assistance from a third-party cybersecurity team, found the accounts contained both personal data and protected health information of patients who received laboratory or pathology testing services from ProPath.

This data could include names, dates of birth, test orders, diagnoses, clinical treatments, medical procedures, and provider names. A limited number of SSNs, financial account information, driver’s license numbers, health insurance details, and passports were also compromised. Patients whose SSNs were exposed will receive free credit monitoring.

ProPath has since bolstered its technical safeguards, including implementing further security measures on its email system and strengthening its email security training with employees.

Email Hack Impacts Saint Agnes, Saint Alphonsus Hospitals

California-based Saint Agnes Medical Center, a member of Trinity Health, and its sister health system, Saint Alphonsus Health System in Idaho, were recently impacted by an email hack, which potentially breached the data of an undisclosed number of patients.

On February 5, Saint Agnes was notified by Saint Alphonsus of an employee email compromise, which led to the account sending phishing emails between January 4 and 6. The hacker was attempting to obtain login credentials.

It first appeared that the incident only impacted Saint Alphonsus. But the investigation later determined some of the compromised data belonged to Saint Agnes. Saint Alphonsus handles the billing for the hospital’s western region.

The hack was discovered on January 6, and the account was quickly secured.

A review of the account determined some patient information may have been accessible during the incident, including names, dates of birth, contact details, email, and medical information, such as treatments, billing data, and record numbers. All patients will receive a year of free credit monitoring.

65K Patients Impacted By Insider Wrongdoing at Humana

Humana is notifying 65,000 individuals of an insider wrongdoing incident at one of its vendors, which led to the exposure of their personal and health information. The vendor, Cotiviti, supports Humana with medical records requests to verify data reported to CMS.

Cotiviti uses a subcontractor to review collected medical records. The incident was caused by a subcontractor’s employee, who inappropriately disclosed patient data to unapproved individuals for unauthorized training purposes between October 12 and December 16, 2020.

The information included patient names, dates of birth, SSNs, contact information, insurance identification numbers, dates of service, medical records numbers, treatment information, and medical images.

Upon discovery, the employee’s access to the medical records was disabled. The employee is no longer employed by the subcontractor. Cotiviti and the subcontractor have since implemented a “broad strategy” to prevent further unauthorized disclosure of information.

Humana was notified of the incident on December 22. The notice does not explain the reason for delayed reporting. The insurer worked with Cotiviti to ensure it bolstered protections and security of personal information, while reviewing the physical and technical safeguards of Cotiviti and its subcontractor.

Next Steps

Dig Deeper on Healthcare data breaches