New Mexico Hospital Finds Malware Infection on Digital Imaging Server

The healthcare data of 500 Roosevelt General Hospital patients was exposed by a malware infection; phishing attacks, ransomware, and insider wrongdoing complete this week’s breach roundup.

New Mexico-based Roosevelt General Hospital discovered malware on the digital imaging server of its radiology department, which possibly allowed hackers to view the digital medical images of about 500 patients.

Discovered on November 14, officials said they promptly worked to isolate the infected server from the network and block access with the command and control server used by the cybercriminals. The RGH IT team then removed the malware and rebuilt the server, while recovering all impacted patient data.

The IT team also conducted a vulnerability scan to ensure the server was secured and protected against further attacks. Officials said they could not rule out access or theft of patient information, although there was no evidence of exfiltration.

The potentially compromised data included patient names, contact information, Social Security numbers, dates of birth, driver’s licenses, medical data, genders, and health insurance details. RGH is continuing to investigate the security incident, which officials said was contained to the imaging server.

A wide range of digital imaging servers are known to have vulnerabilities that can place patient data at risk if left unpatched. In September, NIST released proposed guidance to secure the picture archiving and communication system (PACS) ecosystem in healthcare.

"If not properly secured, vulnerabilities may be introduced into the PACS ecosystem, either affecting clinical information stored in the PACS environment or allowing malicious actors to leverage components within the ecosystem as pivot points into the integrated healthcare information system,” researchers wrote at the time.

Healthcare Administrative Partners’ Email Hack

Pennsylvania-based medical billing and coding vendor Healthcare Administrative Partners is notifying 17,693 patients that their data was potentially breached after the hack of an employee email account.

According to the notification, HAP first discovered suspicious activity within an employee email account on June 26. All employee passwords were immediately changed, as HAP implemented further security controls within its email system.

An investigation assisted by a third-party forensics team showed a hacker accessed one corporate email account. Nearly three months later on September 16, officials said they determined the impacted account contained protected health information, such as names, medical record numbers, provider names, prescriptions, diagnoses, dates of birth, contact details, and limited treatment data.

Officials said they could not determine whether any information contained in the account was viewed during the hack.

HAP has since implemented additional security controls and policies, including labeling all external emails, restricting mailbox sizes, and adding archiving requirements. Currently, officials said they’re evaluating multi-factor authentication options, while retraining employees on how to recognize and respond to suspicious emails.

Phishing Attack on Sinai Health System

Two employee email accounts of Sinai Health System were compromised by phishing attacks, which potentially breached the data of about 12,578 patients. The notification did not outline the date of discovery, but the investigation into the phishing incident concluded on October 16.

The investigation determined the hacker could have potentially accessed the compromised accounts, which contained patient information, such as names, contact details, dates of birth, Social Security numbers, health insurance information, and health data. The breached data varied by patient.

According to officials, the health system has updated its email filtering controls and revised the email retention policies. The workforce has also received additional security training around identifying malicious emails.

The Center for Health Care Services Ransomware Attack

Computer systems were shut down at the Center for Health Care Services in San Antonio over Christmas, after a ransomware attack, according to local news outlet San Antonio Express News. CHCS is the largest mental health and substance abuse services provider in Bexar County, Texas.

The CHCS IT isolated the ransomware to a single computer system, after officials said law enforcement agents alerted the provider to the attack last week. The FBI and Secret Service is currently investigating the attack, as it appears to be part of a series of targeted cyberattacks on several organizations.

Upon discovery, the provider shut down the computer systems across all of its clinics. CHCS is currently in the process of bringing its systems back online, beginning with the larger clinics. The systems are slowly being brought back up to ensure the systems remain secured.

Insider Wrongdoing at Ann & Robert H. Lurie Children’s Hospital of Chicago

A former employee of Ann & Robert H. Lurie Children’s Hospital of Chicago was discovered improperly accessing patient medical records for about a year between September 10, 2018 and September 22, 2019. Upon discovery, the hospital terminated the employee’s access.

On November 15, Lurie Children’s discovered the employee wrongdoing, terminated the employee’s access to patient information, and launched an investigation. Officials said they determined that the employee viewed certain patient names, contact information, dates of birth, and medical information, such as diagnoses and medications.

The employee was unable to view Social Security numbers, insurance details, or financial account data. Officials said the issue was addressed “in accordance with its disciplinary policies,” and the employee was let go from the hospital.

“We deeply regret any inconvenience and concern this incident may cause our patients,” officials said in a statement. “To help prevent something like this from happening in the future, we are retraining our staff regarding appropriate access to patient records.”

Next Steps

Dig Deeper on Healthcare data breaches