Getty Images/iStockphoto

Ransomware Attack Hits Dickinson County Health, Spurs EHR Downtime

Dickinson County Health in Michigan is currently operating under EHR downtime procedures after being hit with a ransomware attack; ransomware threat actors post more health data and additional Blackbaud victims complete this week’s breach roundup.

Dickinson County Healthcare System in Michigan is currently operating under EHR downtime procedures, after it fell victim to a ransomware attack on Saturday, according to local news outlet Upper Michigan Source NBC TV6. DCHS operates a range of facilities across Michigan and Wisconsin. 

Discovered the morning of October 17, the ransomware disrupted access to computers at all hospitals and clinics. Upon discovery, those systems were shut down to contain the spread of the virus. DCHS is currently working with a third-party security and forensics firm to assess the scope of the event, as well as to restore system access and functions. 

DCHS will continue to operate under established contingency procedures, while safely providing patient care. Officials noted that nearly all patient care services, including its emergency department are fully operational amid recovery access. 

Clinical staff continues to operate under manual procedures, leveraging paper copies of medical records to support patient care. Law enforcement has been notified and will continue to be informed as to the progress of DCHS recovery efforts. 

“We are treating this matter with the highest priority and are responding by using industry best practices while implementing aggressive protection measures,” said Chuck Nelson, DCHS CEO, said in a statement. “While we investigate, our top priority is maintaining our high standards for patient care throughout our system.” 

The cyberattack mirrors recent ransomware incidents at Universal Health Services, Valley Health System in Las Vegas, Ashtabula County Medical Center, and Nebraska Medicine. While ransomware attacks cause an average of 15 days of downtime, UHS did not fully recovery for at least three weeks after the initial attack. 

Conti Ransomware Hackers Post Health Data 

The hacking group behind Conti ransomware recently posted data they allegedly stole from West End Medical Center. According to its website, the provider is now known as Family Health Centers of Georgia, a nonprofit community health center and primary care medical home. 

The screenshots shared with HealthITSecurity.com show a range of files that appear to contain employee information, complete with exposed Social Security numbers, names, addresses, contact information, job descriptions. 

Posted on October 19, the folders are named after employees, as well as “sandisk secure access,” “brndlog,” and "pfro.log," just to name a few. At the time of publication, the posted proofs had been viewed more than 30 times. 

Double extortion hacking attempts have wreaked havoc on the healthcare sector in the last year. Most recently, NetWalker threat actors posted data allegedly stolen from medical manufacturer Sientra. In September, four ransomware groups leaked the data stolen from five separate healthcare entities

Over 300K More Patients Added to Blackbaud Breach Tally

At least four more providers and over 300,000 patients have been added to the Blackbaud breach victim tally that’s already claimed well over 6 million victims. Blackbaud is a cloud computing vendor for a range of nonprofits, foundations, healthcare entities, corporations, and other change agents. 

First reported in mid-August, Blackbaud discovered a ransomware attack on its self-hosted environment on May 20. However, the attack began several months earlier on February 7. While inside the network, the hackers exfiltrated data from some Blackbaud clients, including donors, patients, and other individuals with relationships to those entities. 

Blackbaud admitted they paid the ransom demand to the hackers to regain control over the data, which included names, contact details, and other sensitive information. The vendor recently reported that the hackers may have also accessed to more information than initially expected, including Social Security numbers. 

The attack compromised data from Northern Light Foundation in Maine (657,000 individuals), Inova Health System (1 million), Children’s Hospital of Pittsburgh Foundation, Saint Luke’s Foundation (360,212), MultiCare Foundation (300,000 total individuals, of which 179,189 are patients), Main Line Health (60,595), Spectrum Health (52,711), and Northwestern Memorial HealthCare (55,983). 

About 700,000 total individuals with ties to MultiCare Foundation, Spectrum Health, Northwestern Memorial HealthCare (NMHC), and Main Line Health, were also affected by the incident. 

According to the Department of Health and Human Services, the breach has now claimed four additional clients: Geisinger (86,412), Lawrence + Memorial Hospital (21,617), Presbyterian Health Services (193,223), and Sisters of Charity of St. Augustine Health System (118,874). 

For Geisinger, the impacted database contained some patient information, including names, dates of birth, ages, dates of treatment, departments of service, provider names, and or medical record numbers. No Social Security numbers or financial information was breached during the incident. 

Geisinger is currently reviewing the information stored with Blackbaud and its proposed security improvements. 

Lawrence + Memorial Hospital, part of Yale New Haven Health System, reported that the data affected by the Blackbaud hack included demographic details and philanthropic histories of individuals, as well as some financial information and information related to services received at the hospital. 

What’s notable about the L+M disclosure is a reference to Blackbaud’s ransomware payment. 

“Blackbaud has been assured that all data were destroyed, and they do not believe any information has been disseminated in any manner,” officials said in a statement. “However, L+M has not yet been able to independently validate that assurance. In the meantime, L+M will review its relationship with Blackbaud.” 

The Sisters of Charity Health System reported the compromised data included information used for fundraising efforts, including names, contact details, demographic information, dates and locations of service, service lines, and treating physicians. 

The database may also have contained information regarding relationships with SCHS entities, such as donation history, volunteer service, and employment. SSNs, financial information, and banking data were stored encrypted in the database, and not accessible to hackers. 

SCHS is currently evaluating its relationship with Blackbaud and reviewing the security requirements for all of its vendors to prevent a recurrence. 

Lastly, the data compromised from Presbyterian Healthcare Services in New Mexico included names, dates of birth, treatment dates, facilities visited, departments, physician names, employers, emergency contacts, and or medical record numbers. SSNs and financial data were not included. 

Last month, breach victims have filed several lawsuits against Blackbaud, alleging negligence, failing to properly monitor the computer network, and failing to provide timely notice. 

According to the lawsuit filed in the District of Washington, “Had Defendants properly monitored their networks, security, and communications, they would have prevented the data breach or would have discovered it sooner.” 

The lawsuits seek to recover damages, restitution, and injunctive relief for victims, which they claim were a direct result of Blackbaud’s “unreasonable and deficient data security practices.” 

Next Steps

Dig Deeper on Healthcare data breaches