Getty Images

Maze Ransomware Hackers Post Patient Data Stolen from 2 Providers

Despite assurances healthcare providers were off-limits during COVID-19, Maze ransomware hackers post patient data stolen from two covered entities; a separate phishing attack completes this week’s breach roundup.

The notorious Maze ransomware hacking group has failed to follow through with their assurance the healthcare sector would be off-limits during the COVID-19 pandemic, by publishing data stolen from two separate plastic surgeons for sale on the dark web this week, first reported and detailed by DataBreaches.net.

Maze claims to have attacked the first victim, Kristen Tarbet, MD in Bellevue, Washington, with ransomware on May 1. As proof of their successful attack, the attackers published a number of large files containing protected health information.

One spreadsheet contains about 39,000 entries of patient appointments, others contained full names, appointment lengths, types, and purposes, provider comments, and dates of birth. Other posted files contained a host of patient contact information and Social Security numbers, as well as medical information including patient histories, diagnostic codes, allergies, and a host of other sensitive data.

Another file contained passwords for the plastic surgeon’s wireless merchant account and QuickBooks, as well as other corporate-related information.

Maze hackers also claim to have attacked Nashville Plastic Surgery Institute, doing business as Maxwell Aesthetics on May 1.

The data dump provided as proof of its attack contains a host of patient PHI, including names, surgery type diagnostic data, dates of birth, and some health insurance information. The filenames are also crafted in a way that expose sensitive data, as it includes full names, surgery types, name of the insurance provider, and the dates.

The threat actors also posted complete details of patient histories, as well as medical needs for planned patient surgeries.

Maze ransomware has been incredibly problematic for the healthcare sector, beginning in November and especially during the Coronavirus pandemic. Other treat actors have also tagged onto the double extortion trend, first stealing data from the victim before launching the ransomware payload in an effort to force the victim to pay the ransom demand.

The hackers will first warn the provider, then pressure the victim by posting data dumps as proof that publicly reveal the provider has been compromised. Last week, Microsoft warned human-operated ransomware attacks have continued to plague the healthcare sector amid the public health emergency.

And the FBI has repeatedly warned that double-extortion ransomware attempts have spiked in recent months. In the last month, the World Health Organization and multiple COVID-19 research firms have been targeted with extortion attempts.

Healthcare providers should review ransomware insights from Microsoft and the Office for Civil Rights to bolster their defenses.

This story has been updated to include attribution to DataBreaches.net, which first reported on the Maze ransomware incidents.

BJC Healthcare Phishing Attack Impacts 19 Hospitals

Missouri-based BJC Healthcare is notifying an undisclosed number of patients that their data was potentially compromised after a successful phishing attack in March. Nineteen affiliated hospitals were affected by the security incident.

Three employees fell victim to phishing attacks on March 6, which was detected by officials on the same day. The impacted email accounts were secured, and an investigation was launched with assistance from a third-party computer forensics firm.

The investigation determined a hacker gained access to three employee email accounts for just one day, but they were unable to verify whether any patient information, emails, or attachments were viewed by the threat actor during the incident.

As a result, BJC reviewed all emails and attachments to determine what patients were potentially impacted by the compromise. The accounts contained a range of patient data, such as medical record or patient account numbers, provider names, treatments, medications, visit dates, and other clinical data. For some patients, Social Security numbers and or health insurance data were compromised.

These BJC hospitals were impacted: Alton Memorial Hospital, Barnes-Jewish Hospital, Barnes-Jewish St. Peters Hospital, Barnes-Jewish West County Hospital, BJC Behavioral Health, BJC Corporate Health Services, BJC Home Care, BJC Medical Group, Boone Hospital Center, Christian Hospital, Memorial Hospital Belleville, Memorial Hospital East, Missouri Baptist Medical Center, Missouri Baptist Physician Services, Missouri Baptist Sullivan Hospital, Parkland Health Center Boone Terre, Parkland Health Center Farmington, Progress West Hospital, and St. Louis Children’s Hospital.

BJC is continuing to review the emails to determine the exact patients impacted by the breach and will enhance the security of its email platform. Its employees will also receive further security training and education around identifying and avoiding suspicious emails.

This is the third data breach reported by BJC in the last two years. In March 2018, a data server misconfiguration exposed the health information of about 33,420 patients from May 9, 2017 through January 23, 2018, when it was discovered.

Later that year, BJC Healthcare’s patient portal was hacked with malware, which potentially allowed hackers to intercept the credit and debit card numbers of about 5,850 patients over the course of one month.

Next Steps

Dig Deeper on Healthcare data breaches