COVID-19 Vaccine Data Manipulated Before Leak to Impair Public Trust

The hackers who stole COVID-19 vaccine data last month, modified the information before leaking it online to undermine public trust; email hacks, a security incident, and data extortion complete this week’s breach roundup.

The hackers who stole COVID-19 vaccine data belonging to Pfizer and BioNTech from the European Medicines Agency (EMA), a regulatory agency, and leaked the information online in December, first manipulated the exfiltrated data beforehand to undermine public trust in the vaccine.

EMA confirmed the threat actors behind the attack had posted the stolen data online last week. Several days later, the investigation revealed the data had been altered prior to the leak.

The reports around the hacking incident came to light in early December, which found hackers accessed and exfiltrated data related to the first authorized COVID-19 vaccine from Pfizer and BioNTech. EMA is tasked with vaccine assessments and approvals for the EU.

The highly targeted attack struck on December 9, which gave the attackers access to some documents tied to the regulatory submission for the impacted pharmaceutical companies that were stored on the compromised server.

Pfizer and BioNTech were awaiting final approval for their vaccine, which was issued temporary authorization for emergency use in the UK on December 2. The previous update confirmed the attack was confined to just one IT application and the documents stored on the server.

The regulator has been working with the UK National Cyber Security Centre and law enforcement on the investigation, while it works to secure the data.

The latest update revealed the stolen and altered data included internal, confidential email correspondence from November that were tied to the evaluation processes for COVID-19 vaccines.

“Some of the correspondence has been manipulated by the perpetrators prior to publication in a way which could undermine trust in vaccines,” EMA officials explained. “Two EU marketing authorisations for COVID-19 vaccines have been granted at the end of December/beginning of January following an independent scientific assessment.”

“EMA is in constant dialogue with the European Commission and other regulators across the network and internationally,” they added. “[EMA] continues to fully support the criminal investigation into the data breach. Necessary action is being taken by the law enforcement authorities.”

Federal agencies have repeatedly warned that hackers are actively, and successfully, targeting healthcare organizations tasked with the COVID-19 response for these exact purposes. Nation-state actors have also targeted healthcare employees in an effort to gain access to valuable COVID-19 data.

Recently, Cold storage giant Americold and Global firm Miltenyi Biotec were targeted with cyberattacks in an apparent attempt to disrupt the vaccine supply chain. And as the vaccine rollout progresses, attacks on healthcare web apps rose 51 percent.

Hackers Post Stolen Data from 2 Healthcare Entities

Threat actors have once again posted data they claim to have stolen from healthcare entities. Last week, the Conti hacking group posted data allegedly exfiltrated from Medtron, and Netwalker actors leaked data they claim to have stolen from Granite Wellness Centers.

Louisiana-based Medtron Software Intelligence provides integrated practice management and EHR tech to medical practices. Granite Wellness Centers, previously known as Community Recovery Resources, creates individualized wellness prevention programs, including family services and housing support.

For Granite Wellness, screenshots shared with HealthITSecurity.com show the hackers appear to have stolen a range of spreadsheets containing business information, as well case management and consultation information.

As previously noted, data exfiltration has grown increasingly common in the last year. Emsisoft data shows there are at least 17 ransomware threat actors leveraging extortion to increase payout from victims.

November Security Incident at Hendrick Health Caused Data Breach

Texas-based Hendrick Health recently began notifying 640,000 patients that their data was potentially accessed during a security incident reported in November. Only patients of the Hendrick Medical Center and Hendrick Clinic were impacted by the incident.

Hendrick Health was among the dozens of providers that reported falling victim to a security incident or ransomware attack in the fall. The Texas provider was forced into EHR downtime procedures for what it called a “security incident” at its main campus medical center and some of its clinics.

The IT networks were shut down across the enterprise in response to the incident. Some outpatient services were rescheduled, while Hendrick Health redirected some patients. The medical center’s impatient services were kept open during the security event.

Ransomware was not confirmed in either the initial report, nor in the latest update. Further, it appears the “network security threat” was first discovered on November 20, which prompted administrators to secure the network, contact law enforcement, and launch an investigation.

The review determined the attacker potentially accessed patient information for about a month between October 10 and November 9. The compromised data included patient names, Social Security numbers, contact information, demographic details, and limited data related to care received at Hendrick Health. The EHR was not affected by the incident.

Hendrick Health has since enhanced its system monitoring capabilities and added new features to its security alert software.

This story has been updated to include the total number of patients impacted by the incident, as reported to the Department of Health and Human Services.

Business Associate Hack Impacts Wisconsin Medicaid Data

A hack of an email account belonging to Gainwell Technologies may have compromised the data of some participants in Wisconsin’s Medicaid program.

Gainwell provides tech solutions for health and human service programs to support administration and operations. The vendor is a business associate of the Wisconsin Department of Health Services’ Medicaid program, which serves 1.2 million members annually.

On November 16, officials said they discovered unauthorized access in an account tied to Gainwell. The subsequent investigation revealed the threat actor first gained access to the account weeks earlier, beginning on October 29.

During the hack, the attacker may have accessed the names, member identification numbers, and billing codes for services received by some Wisconsin Medicaid program participants. Since discovering the incident, Gainwell and Wisconsin DHS have been working to improve security measures.

Precision Spine Care Email Hack Impacts 21K Patients

Texas-based Precision Spine Care recently began notifying 20,787 patients that their data was potentially breached after the hack of an employee email account.

The notice does not detail when the hack was first discovered. But after the hacker gained remote access to an employee email account, they attempted to fraudulently divert funds. Upon discovery, administrators disabled the account and launched an investigation.

On November 20, the review determined some patient information may have been accessed during the security incident, “although, given the unauthorized individual’s intent, it is unlikely that any personal information was accessed.”

The impacted account contained patient information that included names, contact details, dates of birth, and limited health information.

Precision Spine has since implemented multi-factor authentication and retrained employees on spotting phishing and spoofing emails.

Next Steps

Dig Deeper on Healthcare data breaches