Getty Images/iStockphoto

Hackers Hit COVID-19 Biotech Firm, Cold Storage Giant with Cyberattacks

Cold storage giant Americold and Global firm Miltenyi Biotec recently faced cyberattacks; ransomware, an email error, phishing, and an application hack complete this week’s breach roundup.

Two global firms with reported ties to the COVID-19 pandemic response faced cyberattacks within the last week. Miltenyi Biotec reported a system outage caused by a malware attack, while cold storage giant Americold, previously in talks to provide storage for the distribution of COVID-19 vaccines, experienced a “cybersecurity incident.”

Miltenyi is a global biotech firm based in Germany with offices in 73 countries, including several in the US. The company is responsible for supplying SARS-CoV-2 antigens for research firms tasked with working on COVID-19 treatments.

The attack struck Miltenyi’s IT infrastructure two weeks ago, which caused issues with some order and operational processes, including email and phone communications. The company has since fully restored its operations.

“Rest assured, all necessary measures have now been taken to contain the issue and recover all affected systems. Based on our current knowledge, we have no indication that the malware has been inadvertently distributed to customers or partners,” officials said in a statement.

Meanwhile, a Securities and Exchange Commission filing revealed a cybersecurity incident struck the network of Americold on November 16. Officials said they took immediate action to contain the incident and launched its business continuity plans to maintain operations.

Law enforcement has been contacted, and Americold is working with outside cybersecurity leaders and its legal counsel to respond to the incident. The disclosure does not detail the type of threat or exploit leveraged in the attack but the company is continuing to recover from the attack, while ensuring its IT infrastructure and customer data is secured.

These attacks appear to align with recent alerts from federal agencies and Microsoft, warning that hackers are targeting the healthcare sector and those working on the COVID-19 response with cyberattacks in an effort to steal data and disrupt operations.

Healthcare entities should continue to prioritize hardening their security defenses and ensuring the effectiveness of business continuity plans to prevent falling victim, as dozens of other US health systems and hospitals have faced ransomware attacks and subsequent EHR downtime in the last two months.

Mercy Iowa City Phishing Attack Impacts 60K Patients

About 60,000 patients are being notified that their data was potentially compromised after a month-long phishing attack on an employee email account.

First discovered on June 24, hospital officials found an employee email account had been used to send out phishing or spam emails. The investigation that followed determined the attacker gained access to the email account from May 15 until June 24, when it was discovered.

A review of the affected account revealed the compromised information varied by patient and could include names, Social Security numbers, driver’s licenses, dates of birth, medical treatments, and health insurance details.

The hospital determined on October 3 that 60,673 Iowa residents were affected by the incident. It’s important to note that under HIPAA, providers are required to report any breaches affecting protected health information within 60 days of discovery, not at the close of an investigation.

Mercy has since enhanced its technical safeguards and implemented multi-factor authentication.

First Impressions Orthodontics Ransomware Attack

A ransomware attack on First Impressions Orthodontics potentially compromised the data of 23,000 patients. The Connecticut provider detected a cybersecurity incident on September 28, which was later confirmed to be ransomware. 

The incident was contained, and officials launched an investigation, which found the attackers potentially accessed some patient data including names, contact details, Social Security numbers, dental plan or insurance numbers, dental images, charges for services, and payments for services performed. Credit card and bank account information were not impacted.

In addition, patients who received only X-rays at First Impressions only saw their names, date of birth, and insurance information affected by the incident. All affected individuals will receive two years of free credit monitoring.

The provider removed the malware and impacted files, later assessing its security to identify and implement measures to bolster its security. First Impressions did not pay the ransom demand and restored all patients records and information from a backup copy.

Delaware Public Health Email Error Exposes COVID-19 Data

The Delaware Department of Health and Social Services recently notified 10,000 individuals that their COVID-19 test results were compromised, after a Division of Public Health employee inadvertently sent two unencrypted emails containing the data to an unauthorized user.

The email error was made by a temporary staff member, who sent the emails on August 13 and August 20. The second email included test results for individuals tested on August 15. The messages were meant for internal distribution to call center staff tasked with helping individuals obtain their COVID-19 test results.

The email messages contained patient names, dates of birth, phone numbers, test locations, the date of the test, and the test result. No financial information was contained in the emails. Upon receipt of the email, the unauthorized user contacted the Division of Public Health and informed the department that the email and its attachments had been deleted.

The temporary staff member is no longer employed by the Division of Public Health. Officials said they investigated the incident and reviewed its HIPAA-related policies and procedures. All workforce members were retrained on HIPAA requirements, with additional HIPAA training policies implemented for temporary staff members.

Luxottica Appointment Scheduling App Hack Impacts 829K Individuals

About 829,454 individuals were recently notified that their data was compromised after a hack on the web-based appointment scheduling application used by eyecare giant Luxottica of America.

Italy-based Luxottica is a global eyewear conglomerate, which designs, manufactures, distributes, and retails eyewear brands, like LensCrafters, Sunglass Hut, and Pearle Vision, as well as the EyeMed vision care plan.

The security incident involved the appointment scheduling application managed by Luxottica and used by eyecare providers to help patients make appointments. The impacted data was related to patients of providers who leverage Luxottica’s systems.

On August 5, a hacker accessed the web application used for appointment scheduling. However, the vendor did not discover the hack until four days later on August 9. The incident was contained, and an investigation was launched to determine the scope.

Working with a third-party cybersecurity firm, Luxottica determined the hacker possibly accessed and acquired patient information on August 28, including full names, contact details, appointment dates and times, health insurance policy numbers, and appointment notes related to treatment, such as health conditions, procedures, and prescriptions.

The threat actor may have also accessed and acquired third-party information from the appointment app. And for some patients, Social Security numbers and credit card information was breached.

The vendor has since implemented enhanced security controls, including further access restrictions for its patient scheduling platform. Luxottica also developed a remediation plan to prevent a recurrence.

This is the second breach reported by Luxottica in the last few months. A ransomware attack hit the vendor in August, which led to shutdowns of Luxottica operations in China and Italy, as well as website disruptions for some of its popular brands like Ray-Ban and EyeMed.

Some of its patient portals were also disrupted by the attack, and the system disruptions continued for more than a month across Luxottica’s network.

Next Steps

Dig Deeper on Healthcare data breaches