aleksandar nakovski - stock.adob

AstraZeneca Targeted by Nation-State Actors Via Phishing Attacks, Malware

A Reuters report finds nation-state actors from North Korea sent AstraZeneca’s workforce phishing emails with malware; an email hack, a cyberattack, ransomware, and a server misconfiguration complete this week’s breach roundup.

Nation-state threat actors with ties to North Korea allegedly launched a phishing campaign against AstraZeneca in an effort to gain access to the pharma giant’s systems via malware, according to Reuters.

The report comes on the heels of a Microsoft alert, warning the healthcare and pharmaceutical industries that nation-state actors are actively targeting coronavirus research with cyberattacks in hopes to steal valuable data. AstraZeneca has been collaborating with the University of Oxford on COVID-19 vaccine research and treatments.

AstraZeneca’s workforce received phishing emails purporting to be job opportunities sent by recruiters working with popular networking sites. However, the messages instead contained malicious code designed to provide the hackers with access to the victim’s computer.

Two workforce members told Reuters that the phishing emails bore hallmarks to the nation-state hacking attempts federal agencies and other security researchers warned about in recent weeks.

As previously noted to HealthITSecurity.com, healthcare organizations must prioritize patch management processes for closing security gaps in vulnerable endpoints. Security leaders should also identify possible weaknesses in the supply chain, including access points used by third-party vendors.

Email security and training will also be crucial, given many of these threats prey on human nature. Reports have found training and education drastically reduces cyber risks within the healthcare sector.

296K Patients Impacted by AspenPointe Cyberattack

AspenPointe, a behavioral and mental health provider in Colorado, recently began notifying 295,617 patients that their data was potentially compromised after a cyberattack on its technological infrastructure.

Discovered in late-September, the severity of the attack forced the provider to close the majority of its operations for several days. Officials said they launched an investigation with assistance from a third-party cybersecurity firm, which concluded on November 10.

The investigation determined patient data was removed from the network during the cyberattack. The stolen information included patient names, dates of birth, Social Security numbers, driver’s license numbers, and or bank account information. All patients will receive a year of free credit monitoring.

Fairchild Medical Center Server Misconfiguration

California-based Fairchild Medical Center is notifying an undisclosed number of patients that a server misconfiguration led to the exposure of sensitive health information.

A third-party security firm found the misconfiguration and subsequent data leak, then disclosed the findings to FMC. Officials said they immediately addressed the server issue and launched an investigation with help from third-party specialists. The security team confirmed the server has since been secured. 

However, the investigation revealed the exposure began on December 16, 2015 and lasted until July 31, 2020, which gave outside actors access to the server. FMC performed an extensive review of forensic evidence related to the server, which could not conclusively rule out unauthorized access to the patient records stored on the server during that time.

The review determined the exposed information included medical images, patient names, dates of birth, identification numbers, exam identification numbers, provider names, and examination dates.

Full medical records, Social Security numbers, and financial information were not compromised by the incident.

Email Hack at LSU Health New Orleans Health Care Services Division

A hack of an employee email account at Louisiana State University (LSU) New Orleans Health Care Services Division potentially compromised the data of an undisclosed number of patients who received care at Lallie Kemp Regional Medical Center; Leonard J. Chabert Medical Center; W.O. Moss Regional Medical Center; and the former Earl K. Long Medical Center; Bogalusa Medical Center; University Medical Center; and Interim LSU Hospital in New Orleans.

The hack appears to have started on September 15 and was found by LSU Health officials three days later. The account was immediately secured. Officials said they’re continuing to investigate the incident, including how long the account was accessed and just how many patients were impacted.

LSU Health was unable to rule out access to the information contained in the account. So far, officials said they know thousands of patients have been affected. The account contained a range of patient information, such as names, contact details, medical record numbers, account numbers, dates of birth, SSNs, dates and types of service, and insurance identification numbers.

Some impacted emails contained the bank account information and health information of some patients. Officials said in most instances, just a few of these identifiers were contained in the impacted account.

“Although strict privacy and security policies were in place at the time of the intrusion, security practices and procedures as well as additional available methods for protecting the email system are being reviewed to determine if improvements can be made to further reduce the risk of such a breach in the future,” officials said in a statement.

“Any changes will be included in the information security training that all employees are required to complete,” they added.

US Fertility Ransomware Attack

A ransomware attack on US Fertility in September potentially compromised the data from an undisclosed number of patients.

US Fertility is an IT platform and services vendor for several infertility clinics, including SGF Atlanta, Center for Reproductive Endocrinology, Center for Reproductive Medicine & Advanced Reproductive Technologies, Center for Reproductive Medicine Alabama, Center for Reproductive Medicine Orlando, Coastal Fertility Specialists, Fertility Centers of Illinois, and Fertility Partners of Pennsylvania Surgery Center, among a range of other providers.

On September 14, certain USF computer systems on its network were infected with ransomware. As a result, the data on some workstations and servers were encrypted with the virus. Officials said a number of the systems were proactively taken offline to stem the impact of the attack.

USF partnered with an outside computer forensics team on its investigation and to remediate the identified malware, as well as to ensure the network was secured. The systems were reconnected on September 20.

The investigation determined a hacker stole a limited number of files prior to the final ransomware payload, between August 12 and September 14, when the intrusion was discovered.

The review concluded on November 13, finding patient names, contact information, dates of birth, MPI numbers, and SSNs were accessed without authorization. The impacted data varied by patient, and SSNs were only included for a small number of patients.

USF has since improved its firewall security and network monitoring, along with providing employees with renewed data security training including phishing awareness.

Next Steps

Dig Deeper on Healthcare data breaches