aleksandar nakovski - stock.adob

Accounting Firm Ransomware Hack Affects Community Care Patient Data

Maze hackers infected accounting firm BST with malware, which likely compromised patient data from Community Care Physicians; email compromises, computer hack, and a phishing incident complete this week’s breach roundup.

New York-based accounting firm BST was recently infected with Maze malware, which potentially compromised patient data from Community Care Physicians.

According to the notification, BST fell victim to a ransomware attack in December. The impacted network contained data from the accounting firm’s local clients, to which BST provides accounting and tax services. CCP data was included in those records. But its systems were not impacted by the event.

An investigation, led with assistance from a third-party forensics firm, determined the infection lasted for three days between December 4 and December 7. BST was able to restore the affected data from backups, while maintaining the integrity of the files.

BST determined personal health information was included in some of the compromised data, such as the financial data shared with the accounting firm that may involve patient information. This includes names, dates of birth, billing codes, insurance description, and medical record numbers. Patients are being offered a year of free identity monitoring.

Officials said there is a risk the data was potentially accessed, acquired, or otherwise disclosed from the network. BST is actually named as one of the Maze ransomware victims with full data included in the hacking group’s records. It’s unknown whether CCP data was included in those listed files.

As noted earlier this month, Maze ransomware hackers have been extorting private sector organizations and posting data for sale online, including protected health information.

Cloud Vendor Breach Impacts Personal Touch Holding Patients

Personal Touch Holding, which operates more than 16 subsidiaries across the US, is notifying 150,479 patients across those sites that their data was potentially breached after a ransomware attack on its cloud-hosting vendor in December.

The vendor owns Personal Home Care, Personal Home Aides, and Personal Touch Hospice with sites in Virginia, West Virginia, Massachusetts, Texas, Kentucky, Indiana, New York, and others.

On December 1, Crossroads Technologies, which hosts Personal Touch’s electronic medical records, notified the covered entity that it suffered a ransomware attack on its Pennsylvania data center.

At the moment, officials said the impacted server contained a trove of patient data, such as medical treatments, insurance cards, health plan benefit numbers, medical record numbers, names, contact details, dates of birth, and Social Security playbooks.

Crossroads is continuing to investigate the incident alongside the FBI and third-party forensic analysts, and officials said they can’t currently confirm the extent of the data breach.

The Department of Health and Human Services’ breach reporting tool shows 16 breach notifications, with varying ranges of victims. Personal Touch Home Aides of New York saw the largest number of impacted patients (38,693), while Home Aides of Baltimore saw just 804 patients impacted.

Pacific Specialty Insurance Reports Breach from March 2019

Nearly one year after the initial data breach occurred, Pacific Specialty Insurance is notifying patients that their data may have been compromised after a hack on several employee email accounts.

Officials said they first discovered suspicious activity within several employee email accounts on June 14, 2019. The investigation determined certain employee email accounts were hacked for 10 days between March 20 and March 30, 2019.

With help from third-party forensics investigators, each accessible file from the impacted accounts was reviewed to determine what, if any, files were potentially accessed by the hacker. On November 7, 2019, investigators compiled a list of impacted patients. And again, in January, addresses for those patients were obtained.

It’s important to note that HIPAA requires covered entities to report breaches within 60 days of discovery.

The potentially compromised data varied by patients and could include names, Social Security numbers, driver’s licenses and or government-issued IDs, medical data, health insurance information, financial data, and or payment card details. Patients will receive a year of free credit monitoring.

Pacific Specialty is continuing to improve its data security, including changing the login credentials for all employee email accounts, enabling multi-factor authentication, and implementing additional controls on its employee email platform.

2019 Phishing Attack on Aveanna Health

Georgia-based Aveanna Health is just now notifying patients of a potential data breach caused by a phishing attack on the pediatric home care provider in August 2019.

On August 24, officials said they first discovered a compromise of several employee emails accounts and engaged its third-party forensics team. They found several accounts were hacked for more than a month between July 9 and August 24. Data access or exfiltration could not be determined or ruled out.

The account review of the compromised information was completed on December 19. Officials said the compromised data includes patient names, Social Security numbers, State IDs, medical data, health insurance details, driver’s licenses, and financial and bank data.

The breach has not yet been listed on the HHS breach reporting tool. The California Attorney General report shows about 5,000 state residents were involved.

Rady Children’s Hospital Reports 6-Month Data Breach

One of the largest children’s hospitals in California, Rady Children’s Hospital-San Diego, discovered a breach of a computer in January that exposed an undisclosed number of patient records.

First discovered on January 3, a hacker remotely accessed the computer used by the radiology department through an open internet port. An investigation led by a digital forensics firm determined the hacker first gained access more than six months earlier on June 20, 2019.

In fact, officials said accessed remained possible until the breach was discovered in January 2020.

On February 5, the investigation determined the impacted computer contained a trove of imaging data, including patient names, genders, and dates and types of imaging studies. Some patients saw their dates of birth, medical record numbers, provider names, and or a description of their imaging study compromised.

Social Security numbers, financial details, medical images, and diagnoses were not impacted. Officials said patients will receive a year of free credit monitoring services. Rady Children’s is continuing to work with its external forensics team to determine how to improve its security posture.

Next Steps

Dig Deeper on Healthcare data breaches