Alex - stock.adobe.com

Beaumont Health Reports 2019 Data Breach Impacting 114K Patients

Hackers gained access to several Beaumont Health employee email accounts for a week in 2019; Maze ransomware, phishing incidents, and other ransomware incidents complete this week’s breach roundup.

Michigan-based Beaumont Health recently began notifying about 114,000 patients that their personal data was potentially breached after a hack on several employee email accounts in 2019.

The notification does not explain when the breach was first discovered. However, the investigation concluded on March 29 that several email accounts were accessed for more than a week between May 23 and June 3, 2019. Further, Beaumont was unable to determine whether the data was exfiltrated.

The compromised data included the health and personal data that varied by patient, including names, contact information, diagnoses, procedures, treatment locations, patient account numbers, medical record numbers, prescription details, treatments, and other sensitive data.

A limited number of Social Security numbers, financial account data, health insurance information, driver’s licenses, and state identification numbers were contained in the impacted accounts. The cyberattack was contained to the email platform and not all Beaumont patients were affected.

Beaumont has since improved its technical safeguards and provided employees with additional security education and training.

Meadville Medical Center Still Recovering from Malware

Meadville Medical Center is continuing to recover from a March 26 malware cyberattack, according to local news outlet the Meadville Tribune.

It’s the second reported security incident for the Pennsylvania provider in the last two months. Hackers hit the medical center’s employee payroll system in early February. Officials said they were continuing to investigate the incident alongside local law enforcement, a third-party forensics team, and the FBI.

The latest cyberattack was discovered on March 26, forcing the medical center into downtime. The EHR was brought back online on March 31, after officials said they removed the malware. However, they are continuing to investigate and work with a third-party forensics firm to restore the network.

Officials expect the remaining core systems to be fully restored and operational within the week.

Maze Ransomware Posts Data from Rev Cycle Vendor

The notorious Maze ransomware hacking group has posted a sample of data they claim to have stolen from revenue cycle management vendor Healthcare Fiscal Management. Much like with previous attacks, the group posted a zip file with data allegedly stolen from HFM during an attack.

As warned by the FBI, Maze hackers have ramped up their hacking and extortion efforts in recent months using “multiple methods for intrusion, including the creation of malicious look-a-like cryptocurrency sites and malspam campaigns impersonating government agencies and well-known security vendors.”

Healthcare has remained a prime target for the hacking group, despite claims they would not target the sector during the COVID-19 pandemic. In the past, Maze has targeted and posted data from dozens of healthcare entities, including AffordaCare and Hammersmith Medicines Research.

Phishing Attack on Aurora Medical Center, Bay Area

A phishing attack on Aurora Medical Center – Bay Area potentially breached the data of about 27,137 patients and employees. The Wisconsin provider is part of Advocate Aurora Health.

On January 9, officials said they discovered a hacker leveraged a phishing campaign to gain access to several employee email credentials and their email accounts beginning on January 1. The passwords were promptly reset, and an investigation was launched.

The investigation determined the hacker was able to access some of the email messages and patient information contained in the accounts. According to the notice, the hacker may have also accessed a human resource system.

The impacted accounts contained a range of patient data that included names, marital statuses, email addresses, dates of admission, discharge or treatment data, health insurance account numbers, medical device numbers, driver’s licenses, bank and financial account data, and full face photographs, among other sensitive data. All affected patients and employees are being offered a year of free credit monitoring.

Advocate Aurora has since implemented email filtering software and are continuing to monitor its security systems to determine where enhancements may be appropriate. Federal and state law enforcement were contacted, while the provider continues to investigate the incident alongside an external IT consultant team.

Brandywine Counseling and Community Services Ransomware Attack

Delaware-based Brandywine Counseling and Community Services experienced a ransomware attack in February, and patients are being notified that their data was acquired by the hackers during the incident.

On February 10, officials said they discovered some servers were infected with ransomware and immediately took steps to secure their system. Law enforcement was contacted, and an investigation was launched with assistance from an outside computer forensics firm.

The investigation revealed hackers acquired a limited amount of patient data during the attack, including names, contact details, dates of birth, and or limited clinical data, like prescriptions and treatment information. Some Social Security numbers, driver’s licenses, and health information was exfiltrated, as well.

The attack mirrors findings from a Check Point that showed hackers are targeting hospitals and other healthcare entities with double extortion attempts; a style made popular by the Maze ransomware hacking group.

The attackers hit the organization with an initial ransomware attack and steal data during the process for later extortion attempts if the provider refuses to pay the ransom demand.

“Double extortion is a clear and growing ransomware attack trend,” said Check Point Manager of Threat Intelligence, Lotem Finkelsteen, at the time. “In this tactic, threat actors corner their victims even further by dripping sensitive information into the darkest places in the web to substantiate their ransom demands.”

“We’re especially worried about hospitals having to face this threat. With their focus on coronavirus patients, addressing a double extortion ransomware attack would be very difficult,” he added. “We issue caution to hospitals and large organizations, urging them to back up their data and educate their staff.”

Next Steps

Dig Deeper on Healthcare data breaches