Third-Party Vendor Dental Care Alliance Breach Impacts 1M Patients

DCA recently notified some of its clients that a monthlong system hack breached the data of 1M patients; multiple ransomware incidents and two data misconfigurations complete this week’s breach roundup.

Third-party vendor, Dental Care Alliance, recently began notifying hundreds of its clients that a near-monthlong system hack potentially breached the protected health information and payment card numbers of 1 million patients.

DCA is a practice support vendor for more than 320 affiliated practices across 20 states, including providing support services.

With its notification, the breach is now the second-largest incident in the healthcare sector in 2020, behind the Blackbaud ransomware attack. The investigation is ongoing, as DCA is continuing to review the data affected by the event.

According to the notice, DCA officials detected abnormal activity within its environment on October 11 and launched an investigation with assistance from third-party forensics specialists. The initial review determined hackers had access to its network from September 18 until October 13.

The potentially compromised data could include patient names, contact details, dental diagnoses, treatment information, patient account numbers, billing details, dentists’ names, bank account numbers, and health insurance data.

DCA stressed that only 10 percent of the impacted patients saw bank account numbers affected by the hack. 

The vendor has since conducted a review of its network security, along with providing its staff with further security training, implementing mandatory password resets, and upgrading its systems.

67K Patients Affected by Sonoma Valley Hospital Ransomware Attack

More than two months after falling victim to a ransomware attack, Sonoma Valley Hospital is notifying 67,000 patients that their data was likely compromised during the incident.

The California-based provider has been operating under EHR downtime procedures since the cyberattack was launched on October 11. Sonoma Valley was one of multiple healthcare providers affected by a wave of targeted ransomware attacks on the sector that month.

While officials first deemed the event a ‘security incident,’ it was soon disclosed as ransomware, while the downtime procedures lingered for several weeks. 

Officials later confirmed that a small subset of data was likely exfiltrated during the attack, and later, about 75GB of data allegedly stolen from Sonoma Valley was posted on a dark web posting of Mount Locker ransomware actors. The data was removed several days later.

The hospital was forced to completely rebuild its network after the attack to fully remove the virus, which included the replacement of 50 computers and the restoration of 75 different systems and 215 workstations.

The latest update shows Sonoma Valley is still working to fully restore its network, more than two months after hackers dropped the ransomware payload.

The investigation has determined the impacted patient data affected by the event involved health claims data sent electronically to insurers, such as names, contact details, birthdates, insurer group and subscriber numbers, diagnoses, procedure codes, dates and place of service, claim amounts, and secondary payer information.

Sonoma Valley also determined it’s unlikely patient financial data or patient data stored in the hospital’s EHR was accessed during the attack.

Ransomware Threat Actors Post More Health-Related Data

Conti and DoppelPaymer threat actors have once again preyed on the healthcare sector, this time posting data allegedly stolen from Apex Laboratories and Warren, Washington & Albany Counties Chapter of NYSARC.

Apex Laboratories is a mobile lab testing vendor, which currently provides much-needed COVID-19 testing. WWARC provides a host of services, including family support, nursing, day habilitation, and other support services for those with intellectual or developmental disabilities.

Screenshots shared with HealthITSecurity.com show the DoppelPaymer hacking group released eight data dumps and a list of vulnerable machines from Apec Laboratories. Meanwhile, Conti threat actors, which have notoriously hacked nonprofit and mental health providers without scruples, leaked data they claim to have stolen from WWAARC.

Data extortion is no longer a rare incidence, with Coveware research finding extortion occurs in half of ransomware incidents. The success of these efforts stems from hackers realizing that the same tactics used on smaller companies are just as effective at larger corporations.

Misconfigured Databases Leak Patient Data

In recent weeks, two reported database misconfigurations caused the exposure of hundreds of thousands of patient-related data: NTreatment and Apodis Pharma in France. Both data breaches highlight the need for better endpoint detection and security measures.

Discovered by TechCrunch researchers, the NTreatment database was hosted on a Microsoft Azure cloud storage platform but failed to implement password protection. As a result, 109,000 files that included lab test results, medical records, provider notes, insurance claims, and other data from US patients were left unencrypted and exposed online.

Nearly all of the sensitive information was viewable from the web browser, some including the medical records of children and EHR records from providers, psychiatrists, and hospital healthcare workers.

The misconfigured server also contained internal company documents, such as a non-disclosure agreement with a prescriptions provider. TechCrunch contacted NTreatment once they determined it was the vendor that owned the server. Officials said the database was used for general storage, and it has since been secured.

The second misconfigured server belonged to Apodis Pharma and was found by CyberNews researchers. Apodis Pharma is a digital supply chain management and software vendor for pharmacies, healthcare delivery organizations, insurance companies, and pharmacy labs.

The researchers discovered a database belonging to the vendor in November, which was left online without the need for authentication. Meaning, anyone could access the data without a password.

As a result, 1.7TB of business-related data was left exposed online, such as pharmaceutical sales data, full names of Apodis Pharma partners and employees, client warehouse stock stats, shipment locations, contact details, and a host of other sensitive data.

CyberNews disclosed the exposure to Apodis Pharma on October 22 but received no reply. Multiple follow-ups were also left unanswered, prompting the team to contact CERT France on October 29 in an effort to secure the database. It took several weeks for the database to be secured, which finally occurred on November 16.

Researchers noted that it’s unclear if the database was accessed while it was left publicly available. The database was indexed by a popular IoT search engine, which means “there is almost no doubt that the data has been accessed and possibly downloaded by outside parties for potentially malicious purposes.”

“Malicious actors with unauthorized access to this database could cause a lot of damage not only to the clients of Apodis Pharma, but also to untold numbers of unsuspecting patients across France,” researchers explained.

“Intruders could download the database and sell it to the competitors of Apodis Pharma clients, who would be able to make business decisions based on the confidential information found in the database,” they added.

Next Steps

Dig Deeper on Healthcare data breaches