Getty Images

219K Nebraska Medicine Patients Affected by Fall Ransomware Attack

A security incident that drove Nebraska Medicine into EHR downtime potentially led to the theft of some patient data; an email hack, third-party incident, and phishing complete this week’s breach roundup.

A ransomware attack that struck Nebraska Medicine in the Fall potentially led to the data theft and compromise of information from 219,000 patients. The September security incident spurred EHR downtime procedures and caused system, EHR, and patient portal access issues at a number of care sites.

In late September, reports surfaced that a cyberattack on Nebraska Medicine affected a number of its sites, including Great Plains Health and hospital branches in Hastings, Norfolk, and Beatrice.

At the time, ransomware was presumed to be behind the attack but officials would not speculate on the nature of the incident. The attack was first detected on September 20 on Nebraska Medicine’s servers and networks, and patient records were inaccessible during that time.

For the most part, patient care continued as normal, with only some non-urgent procedures canceled due to a lack of records access. At Great Plains Health, experience from its 2019 cyberattack prepared the organization for downtime procedures, which allowed for optimal care services despite the incident.

The notification shed further light on the attack: while ransomware was deployed on September 20, hackers first gained access to the network nearly a month earlier on August 27. The comprehensive evaluation also discovered the attackers deployed malware and exfiltrated some patient and employee data stored on the affected systems.

A limited number of patients from Faith Regional Health Services, Great Plains Health, and Mary Lanning Healthcare was also affected, as the data was stored in the Nebraska Medicine/UNMC network.

The compromised data varied by patient and could include names, contact information, dates of birth, health insurance information, medical record numbers, and clinical data, such as physician notes, lab results, imaging, diagnoses, treatments, and prescription data.

A limited number of Social Security numbers were also affected by the incident. Those patients will receive free credit monitoring and identity theft protection services. The attack did not result in unauthorized access to Nebraska Medicine and UNMC’s EMR application.

Nebraska Medicine has since implemented further network monitoring tools and is continuing to regularly audit its systems for any unauthorized access.

Third-Party Vendor Incident Impacts UPMC Patients

About 36,086 UPMC patients are being notified that their data was potentially compromised after a breach of its billing-related legal services vendor, Charles J. Hilton & Associates (CJH).

In June, CJH officials first discovered unauthorized activity on its employee email system. A month later, an investigation determined a number of email accounts had been hacked between April 1 and June 25, 2020.

The investigation concluded in December that some UPMC patient information was potentially accessed during the email hack. CJH confirmed this to UPMC in December. Under HIPAA, business associates of HIPAA-covered entities are required to report data breaches within 60 days of discovering a breach -- not at the close of an investigation.

The impacted data included a range of sensitive information, including SSNs, dates of birth, bank or financial account numbers, driver’s licenses or state IDs, electronic signatures, medical records numbers, patient account numbers, Medicare or Medicaid identification numbers, health insurance numbers, treatments, rescriptions, drug tests, billing or claims data, and a host of other sensitive details.

UPMC Health Plan Phishing-Related Breach

In a separate notice unrelated to the third-party incident, UPMC Health Plan is alerting 19,000 individuals that their data may have been compromised due to a security incident involving data stored in an employee email account.

On December 8, a phishing attack directed at an employee led to the potential access of protected health information stored in the account. Officials said they were notified of the incident the following day.

The potentially exposed data include patient names, dates of birth, parent or guardian names, and limited clinical data, including dental providers and procedure information.

In response, UPMC Health Plan is currently reviewing its security policies, and controls, and processes.

Nevada Health Centers’ Email Hack

A hack of an employee email account at Nevada Health Centers may have potentially compromised the data of an undisclosed number of patients.

The investigation found the hacker logged into the employee account from an overseas location between November 20 and December 7, 2020. Officials said it appears the attack was financially motivated.

The impacted account contained patient names, contact details, demographic information, medical record numbers, provider names, and locations of service. SSNs, medical records, and financial data were not affected by the incident.

Dig Deeper on Healthcare data breaches