Getty Images

Cyberciminals Access PHI, Steal Gift Cards from Kentucky Health Plan

Hackers were able to access protected health information and fraudulently obtain gift cards from the Kentucky Employees’ Health Plan; multiple insider incidents and improper records disposal complete this week’s breach roundup.

The Commonwealth of Kentucky Personnel Cabinet is notifying nearly 1,000 Kentucky Employees’ Health Plan (KEHP) members that some of their personal and protected health information was potentially compromised after a security incident on its well-being and incentive program portal.

The KEHP LivingWell portal is hosted by StayWell, a third-party vendor tasked with administering KEHP’s well-being program. According to its notice, the portal experienced two separate malicious cyberattacks: The first occurred for six days between April 21 and 27, while the second incident lasted for 10 days from May 12 to May 22.

The investigation determined a hacker gained access to valid KEHP member email addresses and passwords from a previous unidentified data breach from outside of StayWell. Officials said they determined the threat actor used stolen credentials to access 971 member accounts on the impacted platform, with some members reporting their Commonwealth email accounts were accessed.

Hackers were also able to fraudulently redeem gift cards, while exposing members’ biometric screening and health assessment data. Financial data and Social Security numbers were not compromised by the security incident, as the attack was contained to the KEHP portal.

According to local news outlet Lexington Herald Leader, the amount stolen through fraudulent gift cards totaled more than $107,000.

“The scope of the second round of the attack involved a small subset of KEHP members, targeting potential victims who likely used the same password across multiple systems, accounts, and programs,” officials explained. “The Commonwealth has no reason to believe that the Commonwealth’s human resources systems or data were affected at any point during either round of the attack.”

StayWell temporarily disabled the KEHP LivingWell site, as it reviewed its security measures. Further, officials said they also implemented additional user controls for added security. Currently, StayWell is working to restore all impacted 971 member accounts, including incentive accounts.

The Department of Homeland Security has previously warned that organizations and its users are continuing to reuse passwords and update credentials, while advanced persistent threat (APT) actors target healthcare and other essential services. As a result, malicious actors can leverage stolen credentials in password-spraying or other brute-force attacks.

In fact, a report from Yubico revealed IT leaders are consistently engaging in risky password habits, with 35 percent of global IT leaders admitting they fail to change passwords after a cyberattack.

Kaiser Permanente Reports 8-Year Insider Breach

A former imaging technician in the radiology department of the Kaiser Foundation Health Plan of the Mid-Atlantic States improperly accessed the radiology records of about 2,756 patients without authorization over the course of eight years, Kaiser Permanente recently reported.

Discovered in March, Kaiser Permanente placed the employee on administrative leave during the course of the investigation. Officials determined the improper access first began in 2012, and the employee continued to access patient records throughout the impacted timeframe until the access was discovered.

The investigation did not find a legitimate reason for the employee to access the impacted patient records, as the access fell outside of the employee’s job function. Officials said they fired the employee due to the HIPAA violation. Kaiser Permanente did not find evidence the data was copied or used to commit fraud.

The healthcare sector is notorious for its insider breaches, where insider errors are frequently cited as the leading cause. For the first time, Verizon’s latest Data Breach Investigations Report (DBIR) found external threats outpaced insider incidents. Remediation of these breaches cost the healthcare and pharma sectors more than $10.81 annually.

Third-Party Vendor Breach Impacts St. Joseph Health System

Third-party vendor Central Files, tasked with providing secure record storage and disposal for a number of healthcare covered entities, was found to have improperly disposed of some patient files, including those from St. Joseph Health System in Indiana, a member of Trinity Health.

According to its notification, Central Files was hired to destroy certain records and securely store some patient records until they were transferred to a subsequent records company. Those records included both sensitive and legally protected information from St. Joseph patients, clients, and or employees.

However, beginning on April 1, certain South Bend organizations were alerted that some of the confidential documents entrusted to Central Files were improperly dumped in an unsecure location in-town “sometime before April 1, 2020 and several more times until May 15, 2020.”

An investigation was immediately launched to determine the reason for the mishandling, working closely with South Bend law enforcement. Officials said they determined the records were discovered at a dump site in “poor condition, showing signs of moisture damage, mold and rodent infestation, and damage from being mixed with trash and other debris.”

“Trained safety personnel determined that further inspection of most of these records to identify individuals whose information was included in the documents would be extremely hazardous and instead recommended secure destruction as soon as possible,” officials explained.

The records able to be safely salvaged were retained, while St. Joseph engaged with a more appropriate document destruction vendor. The remaining records were securely removed from the site on May 20 and are currently being destroyed.

Many of the impacted records are more than a few decades old, likely containing outdated information. The compromised data included paper medical records and billing statements, which held patient names, contact information, dates of birth, Social Security numbers, insurance information, and other medical data.

The compromised records included Saint Joseph Health System from 1999 to 2013; Allied Physicians of Michiana from 1995 to 2007; New Avenues from June 2004 to December 2015; South Bend Medical Foundation from 2009 to 2015; Goshen Emergency Physicians and Elkhart Emergency Physicians from 2002 to 2010, Michiana Hematology Oncology from 2002 to 2004; and Cardiology Associates from March 1, 2007 to November 30, 2013.

Beacon Health System acquired CAI and its records in December 2013. Notably, it appears Central Files, Inc. is now permanently closed.

Next Steps

Dig Deeper on Healthcare data breaches