Getty Images/iStockphoto

Ransomware Update: More Data Leaked, NY Health System Recovers

UVM Health has progressed in its ransomware recovery efforts, while St. Lawrence Health restored its network. But three entities were not as successful, as hackers leaked more health data.

Two of the providers impacted by the recent ransomware wave targeting the healthcare sector have made headway in their recovery efforts, as St. Lawrence Health System restored normal operations, and the University of Vermont Health Network reported significant progress in its recovery efforts. 

Currently, there are no further updates on the ransomware attacks on the other entities hit during the recent wave of incidents, including Sky Lakes Medical, Sonoma Valley  Hospital, and Dickinson County Healthcare System.

However, three other covered entities are facing a worst-case scenario: ransomware threat actors leaked massive healthcare datasets in further extortion efforts, in the last week. 

Health Data Leaked by Threat Actors 

REvil threat actors recently posted data they allegedly stole from the New Jersey Dental Hygienist Association (NJDHA) and Beacon Health Solutions. Meanwhile, the Clop ransomware hacking group leaked data they claim to have stolen from Nova Biomedical, a developer and manufacturer of advanced technology blood testing analyzers. 

The data allegedly stolen from Nova Biomedical was recently leaked on the Clop dark web blog, with a warning that the vendor has just 24 hours to contact the group to prevent further exposure.

The posting contains a massive list of apparent employee information, including Social Security numbers, dates of birth, ages, hiring dates, and contact details, as well as emergency contact information and related details. 

Scanned documents were also posted in clear view on the blog, including non-disclosure agreements, clinical core quotes, and certificates of liability insurance. The hackers also appear to have a trove of information about the company’s business operations. 

For NJDHA, the screenshots shared with HealthITSecurity.com show REvil hackers claim to have a trove of financial documents from the company, as well as the personal information of clients that “will soon be published to the public for downloading.” 

The dark web posting shows “PPO Eligibility Status” and benefit breakdowns, including full names, birthdates, insurer names, network statuses, the monetary amount of benefits, deductibles, and for some, that there is no annual max for the individual’s plan.

The hackers also have patient eligibility reports, complete with full names, subscriber IDs, dates of birth, contact details, provider and insurer information, and eligibility details. There are even document scans of patient medical histories, with a long list of sensitive medical conditions, as well as scanned documents of care slips with appointment notes. 

The threat actors warned NJDHA “to enter into a dialogue” to avoid further data leaks and publicity. However, as Coveware data shows: entering a dialogue or paying a ransom demand does not guarantee this data will be returned to the entity. 

REvil threat actors also leaked data allegedly exfiltrated from Beacon Health Solutions, with a dark web post updated on November 6. Beacon Health Solutions provides integrated health benefits and claims administration solutions to the healthcare sector.

The hackers claim to have hacked and encrypted “absolutely all servers and working computers” of Beacon Health Solutions, exfiltrating an alleged 600GB of data in the process.

The posting shows the hackers have company data, personal information, financial documents, client SSNs, and phone records. The post contains files named “ECNY Policy Documents”, “Terminations”, “Process Docs”, “Compliance”, “Enrollment”, “Home Directories”, “Human Resources”, and a host of others, including a long list of log data, transition documents, an inventory list, workstations, and much more. 

The hackers also posted scanned documents, including a client license from the North Carolina Department of Health and Human Services Division of Health Service Regulation for Aeroflow, complete with a license number and officials’ signatures. There are also document scans from the Accreditation Commission for Health Care in California for other Beacon Health Solutions clients. 

REvil is continuing to leak the data in 60GB sets, with 10 scheduled data dumps planned for the near future. 

St. Lawrence Health System Recovers

The New York health system’s three hospitals have returned to routine operations, after fully restoring its network nearly two weeks after falling victim to a ransomware attack, according to local news outlet WWNY.  

The initial attack was detected in a matter of hours, which prompted the IT team to disconnect all systems and the affected network to prevent the attack from spreading. At the time of the attack, officials confirmed the variant used by the attackers was Ryuk ransomware. 

Established backup processes were launched to maintain patient care, including EHR downtime and offline documentation processes. Patient care continued with limited disruption throughout the recovery efforts, although some ambulances were diverted during the attack’s early stages.

The hospitals in Canton-Potsdam and Gouverneur were the hardest hit by the attack, while the hospital in Massena saw minimal impact. St. Lawrence leveraged a progressive schedule to reboot operations and networks, maintaining communication with the NY State Health Department throughout the recovery efforts.

And on November 6, officials reported they’ve brought all systems back online. IT applications have been restored at all clinics, hospitals, and at the corporate level, which includes patient medical records, its laboratory, and pharmacy. 

St. Lawrence is continuing to investigate the scope of the incident and its impact. 

UVM Health Network

Following the deployment of the Army National Guard’s Combined Cyber Response Team on November 5, UVM has made significant progress in its recovery efforts and now has access to the patient schedules of all network hospitals for the coming week, which will “improve our efficiency and the overall experience for patients” amid continued recovery efforts.

The cyberattack began more than two weeks ago, which caused a significant system-wide network outage. At least six of the health system’s hospitals were affected by the attack, with the biggest impact seen at the UVM Medical Center and with its MyChart Patient Portal. 

The medical records system went down with the attack, delaying certain elective procedures during early stages. Patient delays were also seen at Central Vermont Medical Center in Burlington and Champlain Valley Physicians Hospital, while other UVM sites have managed to continue providing patient care during EHR downtime procedures. 

The attack also seriously impacted the radiology department and communication between the network of UVM care sites. 

The IT team has been working to restore the “behind-the-scenes components” to support the restoration of patient-facing systems. Officials said they’ve also implemented plans for patients receiving cancer treatments to ensure necessary care is provided. 

“Patients are receiving treatment and we are urgently working to expand our capacity to provide chemotherapy at UVM Medical Center to seven days per week and three evenings per week,” officials said in a statement. “We are also scheduling some patients for treatment at Central Vermont Medical Center, Champlain Valley Physicians Hospital and other facilities when appropriate.” 

However, UVM is currently unable to provide breast imaging, including all mammogram types, breast ultrasound screening, and biopsies, as its clinicians have limited access to patient data. All patients have been informed that their appointments have been canceled for at least Monday, November 9. 

UVM is continuing to work with the National Guard to review all end-user computers and devices, a “massive undertaking” that will continue throughout this week.

Next Steps

Dig Deeper on Healthcare data breaches