Getty Images/iStockphoto

Assured Imaging Ransomware Causes Data Theft Affecting 245K Patients

A ransomware attack on Assured Imaging’s EMR allowed some patient data to be exfiltrated; Blackbaud ransomware attack adds 708,690 more individuals, threat actors post more patient data, and a phishing incident complete this week’s breach roundup.

Arizona-based Assured Imaging is notifying 244,813 patients that some of their data was potentially exfiltrated after a ransomware attack in May. 

On May 19, Assured first discovered its electronic medical records system was encrypted with ransomware. Officials quickly worked to restore access to the patient data stored in the EMR and launched an investigation with help from third-party computer forensics specialists to verify the scope of the incident. 

The investigation confirmed on July 1 that the threat actor first gained access to Assured systems on May 15 until May 17, stealing some patient data in the process before launching the final ransomware payload. The investigation could not fully determine just what patient data was stolen. 

Officials reviewed all information stored in its systems and identified the patient information that could have potentially been accessed by the hacker, which included full names, contact details, testing recommendations, provided services, provider names, medical histories, patient IDs, and other sensitive information. 

Currently, officials are reviewing existing policies and procedures and will implement additional safeguards to prevent a recurrence. Assured joins a growing list of providers to experience a ransomware attack that resulted in data theft, which Emsisoft found occurs in about one out of every 10 ransomware incidents. 

Double extortion is another common ransomware method, where the hacker first steals data from the victim before launching the final ransomware payload and then threatens to leak the data if the ransom demand is not paid. 

The method was first made popular by the Maze ransomware hacking group, but others such as NetWalker and Sodinokibi have since joined the effort. 

Blackbaud Ransomware Incident Claims 708K More Victims

The May ransomware attack on Blackbaud, a healthcare business associate, has impacted at least 708,690 more individuals in the healthcare sector than initially reported. 

Blackbaud is a cloud computing vendor for a range of nonprofits, healthcare systems, and hospitals. In May, officials said they discovered a ransomware attack that enabled the attackers to steal a subset of data from its self-hosted environment before they were able to lock the attackers out of its systems. 

The vendor paid the hackers’ ransom demand “with confirmation that the copy they removed had been destroyed.” The attack occurred between February 7 and May 20, 2020. 

The Northern Light Health Foundation in Maine was the first reported healthcare victim of the attack, which impacted the data of 657,392 of its donors, potential donors, and patients who supported the foundation. 

The Department of Health and Human Services’ breach reporting tool shows at least another five healthcare entities and a total of 708,690 more individuals have been affected by the incident: Saint Luke’s Foundation, MultiCare Foundation, Spectrum Health, Northwestern Memorial HealthCare (NMHC), and Main Line Health. 

About 360, 212 patients of Kansas City, Missouri-based Saint Luke’s were affected by the incident. The compromised back-up file contained patient information, such as names, contact details, and or dates of birth. For some patients, the ransomware attack may have affected the names and addresses of the patient’s guarantor and limited medical information, like dates of service and department of care. 

For MultiCare Foundation in Washington, 300,000 donors and potential donors, including 179,189 patients, were impacted by the Blackbaud incident. The patient data compromised as a result included demographic details, data and departments of service, and provider names. 

Affected donor information included just names, addresses, telephone numbers, and emails. For some guarantors, dates of birth, addresses, and dates of service were compromised. 

Spectrum Health in Michigan performed its own investigation into the Blackbaud incident and found the hackers were able to access the protected health information of 52,711 individuals. The data was provided to Blackbaud as part of Spectrum Health’s grateful giving program. 

The impacted data was limited to names, contact details, dates of birth, medical record numbers, history of donations to the Spectrum Health Foundation, and other publicly available data.  

About 55,983 donors and patients of NHMC in Illinois were affected by the Blackbaud cyberattack, which included patient information for whom donations were made, such as names, ages, genders, dates of birth, medical record numbers, dates of service, departments of service, providers, and or limited clinical information. 

For five individuals, Social Security numbers, financial accounts, and or payment card information were not encrypted and therefore able to be accessed by the threat actors. 

Lastly, a reported 60,595 donors, potential donors, patients, and community members of Main Line Health in Pennsylvania were impacted in the event. The compromised database contained names, ages, genders, dates of birth, medical record numbers, dates of treatment, departments of service, and the provider names of some or all patient donors or prospective donors. 

Main Line is reviewing options to avoid a recurrence, including revisiting its relationship with Blackbaud and the security measures for information stored with its third-party vendors. 

Ransomware Hackers Post Data from Indiana Hospital 

Conti ransomware threat actors posted data for sale on the dark web, which they allegedly stole from Adams Memorial Hospital – a 25-bed critical access hospital in Indiana. 

Reports show the Conti variant may have been developed by Ryuk operators, a notorious hacking group that has wreaked havoc on the healthcare sector. There are similarities in the code and infrastructure used in both Conti and Ryuk attacks. 

In screenshots shared with HealthITSecurity.com, it appears the data stolen by the hackers contains credit applications for medical services, banking balances, merchant data, copies of driver's licenses, sponsor letters, and other sensitive data. 

The Adams Memorial Hospital site does not currently show a notice about a ransomware incident. HealthITSecurity.com has reached out for a comment, and this story will be updated if more information becomes available. 

139K Patients Impacted by Imperium Health Phishing Attack

Business associate Imperium Health is notifying 139,114 patients that their data was potentially breached after a three-day phishing attack in April. 

According to its notice, two employees fell victim to a phishing scheme, clicked the malicious links contained in the emails, and provided the attacker with their credentials in the process. In doing so, the employees gave access to their email accounts. 

The investigation into the incident concluded nearly two months later in June, finding patient information contained in the accounts were potentially visible to the attacker. 

The compromised data included names, contact details, dates of birth, medical records numbers, account numbers, health insurance information, Medicare numbers, Medicare Health Insurance Claim Numbers that may contain Social Security numbers, and limited clinical and treatment data. 

The investigation determined the hacker only gained access to those two employee email accounts during the attack and did not gain access to any other information systems. Given the severity of the information potentially accessed, it’s important to note providers are required to notify patients of data breaches within 60 days of discovery and not at the close of an investigation. 

Imperium has since educated employees on identifying and avoiding phishing emails and implemented additional security measures, including multi-factor authentication to remote access systems and protocols for the secure transfer of personal information. 

Next Steps

Dig Deeper on Healthcare data breaches