Gorodenkoff - stock.adobe.com

‘Security Threat’ Forces Hendrick Health to EHR Downtime Procedures

Hendrick Health in Texas is operating under EHR downtime procedures after detecting a ‘security threat’; ransomware recovery, a third-party incident, more ransomware, phishing, and multiple hacking incidents complete this week’s breach roundup.

Texas-based Hendrick Health is operating under EHR downtime procedures after discovering a network ‘security threat’ at the main campus's medical center and some of its clinics on November 9. The IT networks have been shut down across the enterprise to fully address the issue. 

Hendrick Medical Center Brownwood and Hendrick Medical Center South have not affected by the incident. 

Officials are fully focused on maintaining patient safety, while administering downtime procedures. Texas has been the hardest hit by the coronavirus, with more than 1 million reported cases across the state since the start of the pandemic.

The medical center’s inpatient services remain open, but patients are being directed to “the most appropriate campus for their care.” Some outpatient services, including therapies or doctors' visits, are also being rescheduled, officials said.

Hendrick Health is continuing to work around the clock to address and resolve the issue, while coordinating with outside security leaders and law enforcement to get its networks back online. 

Hendrick Health becomes the latest covered entity impacted by the ransomware wave targeting the US healthcare sector, which has already claimed Universal Health Services, Dickinson County Healthcare System, Sonoma Valley Hospital, Sky Lakes Medical Center, the University of Vermont Health Network, St. Lawrence Health System, Valley Health System in Las Vegas, Ashtabula County Medical Center, and Nebraska Medicine in the last two months. 

Sonoma Valley Hospital Remains Offline 1 Month After Cyberattack

Sonoma Valley Hospital in California is continuing to operate under EHR downtime procedures one month after a ransomware attack infected its entire network. According to local news outlet Sonoma-Index Tribute, hospital officials believe the recovery efforts still have a long way to go.

The ransomware payload was deployed on October 11, prompting the IT team to turn off the network to stop the attack from further proliferating across the network. The hospital employed its practiced business continuity plan, which has allowed patient care to continue with minimal disruptions. 

While the latest update reported that Ryuk was behind the attack, it was Mount Locker threat actors that leaked data they claim to have stolen from the hospital during the week of November 2.

The hospital confirmed early on that they were aware some patient data was stolen prior to the ransomware deployment, but officials said that outside of the initial attack, the hackers have had minimal communication with the hospital.

Mount Locker hackers published 75GB of data, but officials said much of the posted data were images from 2009 and that they’ll “know more for sure what they have soon.” Likely, given that double extortion threat actors publish stolen data in waves to pressure victims into paying a ransom. 

Sonoma Valley has no intention of paying the ransom demand, officials confirmed.

The hospital has had to completely rebuild the network to remove the virus, including replacing 50 computers and restoring access to 75 different systems and 215 workstations. The team is continuing to investigate the scope of the incident, which has proved challenging and is working with an outside cybersecurity team on its recovery efforts.

116K Individuals Impacted by Timberline Billing Ransomware Attack

About 116,131 individuals are being notified that their data was compromised after a ransomware attack on Medicaid service vendor Timberline Billing Service, according to the the Department of Health and Human Services breach reporting tool. 

The threat actors gained access to Iowa vendor's systems for several weeks beginning on February 12 until March 4, when the ransomware was deployed. Hackers exfiltrated data prior to deploying the ransomware payload.

Reports show the vendor provides services for nearly 200 schools in the state but it’s unclear whether the attack was limited to its Iowa clients. The compromised data includes names, dates of birth, billing information, and Medicaid identification numbers. Some Social Security numbers were also stolen during the attack. 

Florida’s Advanced Urgent Care Ransomware Attack

Advanced Urgent Care of the Florida Keys is notifying an undisclosed number of patients that their data was compromised following a ransomware attack that resulted in data exfiltration in March. 

On March 1, hackers deployed the ransomware payload, which encrypted the files stored on its backup drive. Officials said they launched an investigation with assistance from and outside cybersecurity firm, which included a manual document review. 

According to the notice, they determined protected health information was stored on the impacted drive upon the close of the investigation in September. Despite the length of the review, HIPAA covered entities are required to report data breaches impacting more than 500 patients within 60 days of discovering the incident. 

Further, the notice fails to disclose that Maze ransomware threat actors were behind the attack, and that the hackers posted patient data they claim to have stolen from the provider as far back as March, first reported by DataBreaches.net and Cyble.

Meaning, patients are just now learning their data was exposed and stolen more than eight months ago.

The compromised information included patient names, health insurance information, Social Security numbers, medical records numbers, bank account details, military and or veteran's administration numbers, driver’s licenses, lab results, and a host of other highly sensitive medical information. 

Advanced Urgent Care officials said they've since improved internal procedures for identifying and remediating threats. Healthcare covered entities should review HIPAA breach notification requirements to avoid similar compliance mistakes.

Data Destroyed Amid Cone Health Ransomware Attack

Cone Health’s Alamance Skin Center in Burlington recently began notifying patients that their data was permanently lost after a ransomware attack in late July.

Officials said no data was taken during the attack, but they are unable to recover the practice’s patient data following the incident. Patients were told to call the specialist ahead of scheduled appointments.

Only the Alamance Skin Center was affected by the ransomware, as its electronic medical record system and servers are separate from the main Cone Health system. Further, the investigation determined hackers gained access either through a phishing attack or by brute-force attempts. 

"While this attack was limited to this single practice, we use this as a learning opportunity,” Frank Riccardi, Cone Health vice president, chief compliance and privacy officer, said in a statement. “I urge everyone to learn from these instances as well.” 

“If you get an email asking for information such as passwords or to click to verify something, think twice,” he added. “These attacks are getting extremely sophisticated. They are targeting families as well as businesses.” 

Northwest Eye Surgeons’ Server Hack Impacts 20K

Five months after discovering a security incident on its computer system, Northwest Eye Surgeons, P.C. and Sight Partners (NES) began to notify 20,838 that their protected health information was compromised during the server hack. 

On May 1, officials detected unusual activity on its systems and launched an investigation, which found an unauthorized third-party accessed the data stored on one NES server.

The exposed information included names, Social Security numbers, driver’s license numbers, identification numbers, financial account and credit card data, medical information, and insurance details. 

The initial investigation concluded on July 31, and officials said another third-party vendor was retained on August 7 to perform data mining to determine the patients impacted by the event, as well as the compromised data. 

“This step was necessary so that NES could identify the affected population in order to send out notice of the incident to these individuals,” officials explained. 

North Dakota Health Department Phishing Incident

About 35,416 individuals that used services from the North Dakota Department of Human Services, North Dakota Department of Health, and Cavalier County Health District are being notified that their data was compromised during a phishing incident. 

The attack was launched for a month between November 23 and December 23, 2019, which gave the hacker access to the impacted employee email accounts during that time. However, the phishing incident was not discovered until August 27, 2020. 

An investigation determined personal and protected health information was compromised during the incident, which included names, medical diagnoses, treatment information, driver’s licenses, dates of birth, contact details, and mothers’ maiden names. 

Some financial data and Social Security numbers were also exposed during the attack. The state has since taken steps to improve its internal procedures for identifying and remediating threats, as well as to reduce the risk of a recurrent event. 

People Incorporated Mental Health Services’ Email Hack

People Incorporated Mental Health Services in Minnesota recently notified 27,500 patients that their data was compromised during a hacking incident on several employee email accounts. 

The notice does not explain when the hack was first discovered, but the investigation concluded on September 8 that hackers gained access to certain employee email accounts for a week between April 28 and May 4. 

Upon discovery, the account access was disabled, and the IT team performed a mandatory password reset to prevent further access. 

The investigation determined the accounts contained a range of patient information, including personal and health information, such as names, contact details, health data, insurance information, medical record numbers, and treatments.  

Some health insurance data, financial account details, Social Security numbers, driver’s licenses, and state identification numbers were also contained in the impacted accounts. 

People Incorporated has since implemented additional technical safeguards and provided its workforce with training and education on how to identify and handle malicious emails.

Next Steps

Dig Deeper on Healthcare data breaches