Getty Images

Ransomware Hackers Post Data From 2 Providers, Device Manufacturer

NetWalker and DoppelPaymer ransomware actors posted data online from a device manufacturer and two providers; email hacks, malware, and a phishing incident complete this week’s breach roundup.

NetWalker and DoppelPayer ransomware threat actors posted data from three healthcare entities to their dark web blog in the last week, including a rehabilitation center, fertility clinic, and a device manufacturer. 

Early last week, NetWalker hackers posted data allegedly stolen from the Center for Fertility and Gynecology in Los Angeles. 

Screenshots shared by a source with HealthITSecurity.com showed credit card authorization forms with signatures, contact details, and payments, along with photocopies of IDs and a list of files labeled emails, scans, EMR forms, file cabinet pictures, daily activity, and egg donations, among others. The screenshots also showed daily deposit summaries, amounts and other sensitive data. 

Later in the week, NetWalker actors also posted evidence of data allegedly stolen from Olympia House, in Petaluma, California. The screenshots sent to HealthITSecurity.com showed lists of files labeled facilities, HIPAA, first names, outcomes, and possible QuickBooks information. Another set showed financial information for supplies and payroll, as well as photocopied patient IDs. 

Meanwhile, DoppelPaymer attackers posted data they claim to have stolen from Boyce Technologies, a device manufacturer working on the production of bridge ventilators for the COVID-19 response. The screenshots show files named purchase orders, sales orders, and “assignment.” 

The hackers wrote that “a lot more can be found here next week.” 

HealthITSecurity.com reached out to these three entities but did not hear back before publication. The story will be updated when more information becomes available. 

Double extortion attacks have rapidly increased in the last year, where hackers first gain access onto a victim’s network, proliferate across connected devices, and then steal valuable data. The attackers then deploy the ransomware payload and threaten to post stolen data if the demand is not paid. 

The attack method was first made popular by the Maze hacking group, which frequently targets the healthcare sector. But according to federal agencies and security researchers, other hacking groups like NetWalker, DoppelPaymer, and Sodinokibi have also taken to the attack method. 

Healthcare organizations should review Microsoft insights into human-operated ransomware campaigns to understand best practice defense methods for these types of attacks. 

Allergy and Asthma Clinic of Fort Worth Reports System Hack

A hacker recently gained access to the network systems of the Allergy and Asthma Clinic of Fort Worth, which potentially breached the billing and sensitive information of 69,777 patients. 

The attack was first detected on June 4, but the investigation determined access first occurred several weeks earlier on May 20. Officials said they determined the hacker possibly accessed some patient files, which included names, contact information, Social Security numbers, dates of birth, insurance details, and appointment details. Impacted patients will receive a year of free identity theft protection services. 

“Though a variety of administrative, physical, and technical security measures were in place prior to this incident, The Clinic has also retained the services of cyber security professionals to further investigate this incident and aid the Clinic in implementing additional safeguards to strengthen data security within the Clinic’s computer environment,” officials wrote. 

Email Hack on FHN in Illinois

FHN, a health system based in Freeport, Illinois, is notifying some of its patients that an email hack in February 2020, resulted in a potential data breach. 

Suspicious activity was detected in a number of employee email accounts, and steps were taken to immediately secure the accounts. The investigation led by a forensics firms concluded in April that a hacker breached the accounts between February 12 and February 13, 2020. 

The emails and attachments were analyzed to determine the type of patient information impacted by the incident. Officials said they determined the compromised information could include names, dates of birth, medical record or patient account numbers, driver’s licenses, health insurance details, and limited clinical or treatment data, such as diagnoses, medications, and provider names. 

For some patients, health insurance information and or Social Security numbers were impacted. Those patients will receive free credit monitoring and identity protections services. 

FHN has since reinforced email security training with its staff and will make email security enhancements, including implementing multi-factor authentication. 

Phishing Attack on Children’s Hospital Colorado 

Children’s Hospital Colorado detected a phishing attack on a provider’s email account on June 22, which potentially led to a compromise of data from about 2,553 patients. 

The incident occurred when an employee responded to a phishing email and provided the hacker with their credentials. As a result, the attacker gained access to the account from April 6 and April 12. Officials stressed that the EHR was not impacted by the incident, nor any patient charts.  

An investigation determined the impacted account included patient data, such as names, dates of service, medical record numbers, and diagnoses. Children’s has since updated its email security, while reviewing technical controls and educating employees on cybersecurity. 

Premier Health Partners Investigating Email Hack

Ohio-based Premier Health Partners is continuing to investigate a privacy incident, involving a hack of its email accounts. Certain patients from its Clinical Neuroscience Institute, Help Me Grow Brighter Futures, Samaritan Behavioral Health (SBHI), and CompuNet Clinical Laboratories, may be affected. 

On June 8, officials said they discovered unusual activity in several email accounts and immediately reset all passwords. Premier worked with computer forensics specialists to investigate and confirmed an outside actor accessed those accounts. 

The investigation could not conclusively rule out access, which has led to a full account review to determine the records impacted during the incident. The investigation is ongoing, but officials said they plan to notify patients once they’ve completed the analysis. 

“Since discovering this event, we have been working diligently with computer forensic specialists to determine what happened and what data was potentially impacted,” officials wrote. “We are retraining staff and implementing additional safeguards to further secure the information in our systems.”  

“Although we have no indication that information was or will be misused, we will be providing potentially impacted individuals notice of this event, as well as information and resources to assist them in protecting personal information, should they feel it appropriate to do so,” they added.

Next Steps

Dig Deeper on Healthcare data breaches