Getty Images

National Cardiovascular Partners Email Hack Impacts 78K Patients

A hacker gained access to the email account of an employee of National Cardiovascular Partners for nearly a month; a phishing incident, ransomware, and medical record theft completes this week’s breach roundup.

National Cardiovascular Partners recently notified 78,070 patients that their data was potentially compromised after an attacker gained access to an employee email account. 

According to its notice to California Attorney General Xavier Becerra, NCP first discovered the account breach on May 19. However, access first began nearly a month earlier on April 27. Upon discovery, the account was secured and access to the account was terminated. 

An investigation led with support from an outside cybersecurity forensics firm determined the account contained patient information, including names, contact information, and a host of other sensitive data that varied by patient. 

But officials believe the goal of the hack was to commit financial fraud against NCP. Out of an abundance of caution, the impacted patients will receive a year of identity detection and identity theft resolution. 

NCP has since implemented additional security measures to prevent a recurrent security incident and provided employees with further email security training. 

Recently, Mimecast researchers detected a mass spike in phishing, ransomware, and impersonation attacks, which spotlighted the critical enterprise risk posed by email. 

In healthcare, the risk is significant, as an earlier Mimecast and HIMSS Media report found the majority of hospitals and health systems are failing to prioritize email security awareness training, with 90 percent experiencing an email-related cyberattack in the last year. 

University of Utah Health Reports Third Phishing Attack of 2020

Salt Lake City-based University of Utah Health has reported its third phishing-related patient data breach to the Department of Health and Human Services this year. The latest security incident affected 10,000 patients. 

However, the provider has not yet updated its list of notifications to include details from latest email breach.  

In the second breach notification, officials explained they discovered a hacker gained access to multiple employee email accounts for four months between January 22 to May 22. 

The access occurred between January 7 and February 21, as a result of a successful phishing scheme sent to employees, the first notice explained. The accounts were immediately secured, and an investigation was launched. 

The first notice also explained malware was installed onto an employee workstation, which was first discovered in February. The virus may have given an attacker access to some patient information, including names, dates of birth, medical record numbers, and limited clinical data related to patient care. 

The first phishing attack was reported to HHS in April as impacting 5,000 patients.  

The second breach was reported in June as affecting 2,700 patients. Officials said a hacker gained access to an employee email account for more than a month between April 6 and May 22 through another phishing campaign. 

Some employees responded to the malicious emails, as they believed the messages were legitimate requests. The accounts were secured but officials found patient information was contained in the impacted accounts, precisely as in the previous attack. 

U of U Health is continuing to investigate and review its protocols, while reinforcing security procedures with employees and implementing necessary changes to prevent a recurrence. 

Hackers Post Alleged Amphastar Pharmaceuticals Data

The threat actors behind DoppelPaymer ransomware recently posted data they claim to have stolen from Amphastar Pharmaceuticals. Amphastar develops, manufactures, and markets generic and proprietary injectable, intranasal and inhalation products. 

The example data posted by DoppelPaymer and shared with HealthITSecurity.com appears to contain insulin research reports, confidentiality agreements, audits, and other sensitive data. The posting also includes a list of operating systems allegedly targeted by the hackers, including Windows XP, Server 2003, Server 2008, and Server 2012, for a total of 1,657. Cyble Inc. also shared screenshots from the alleged hack.

Hackers have increasingly leveraged double extortion attempts against the healthcare sector for months. Following the trend made popular by Maze hackers, DoppelPaymer ransomware attackers launched a site to post data allegedly stolen from their victims in an effort to shame the entity into paying the ransom demand earlier this year.  

Patient Data Stolen from Walmart Pharmacies

Amid widespread civil unrest, Walmart is reporting that three of its Chicago pharmacies were broken into by several individuals. 

The stores were physically secured, but the individuals broke through the locked doors and windows, causing damage to the stores. Those individuals also gained entry into the pharmacies to steal medications and other materials, including patient information in some instances. 

“For example, some of the stolen medications were packaged for pickup and included patient information on labels and related documents,” officials explained. 

An investigation determined the affected patient data included names, contact information, medication information, prescription numbers, prescriber information, and other sensitive details. Walmart is continuing to investigate the incident alongside law enforcement. 

Next Steps

Dig Deeper on Healthcare data breaches