Two more hospitals have experienced ransomware attacks that have taken their computer systems offline and have forced clinicians to switch to pen and paper to record patient information.

Both ransomware attacks occurred on Tuesday, October 27, 2020, one on Sky Lakes Medical Center in Klamath Falls, OR and the other on St. Lawrence Health System in New York. It is unclear what ransomware variant was used in the attack on Sky Lakes Medical Center at this stage, but the St. Lawrence Health System ransomware involved a new variant of Ryuk ransomware.

Sky Lakes Medical Center announced on Facebook that while its computer systems had been taken out of action, care continued to be provided to patients and its emergency and urgent care departments remained open and fully operational and most scheduled elective procedures were continuing as planned. At this stage, no evidence has been found to indicate any patient data were compromised in the attack; however, the investigation is still in the early stages.

The attack on St. Lawrence Health System was detected several hours after the initial compromise. St. Lawrence Health System issued a statement saying its IT department had taken systems offline in an effort to contain the attack and prevent the ransomware from spreading to all parts of the network.

The ransomware attack is reported to have affected three of its hospitals – Canton-Potsdam Hospital, Gouverneur Hospital, and Massena Hospital. The decision was taken to divert ambulances from some of the affected hospitals as a precautionary step to ensure care could be provided to patients.

As with the attack on Sky Lakes Medical Center, no evidence has been found to indicate patient information was compromised, although the Ryuk ransomware gang is known to exfiltrate patient data prior to file encryption.

A joint advisory was issued by CISA and the FBI this week, in conjunction with the HHS’ Department of Health and Human Services, warning about an increase in targeted Ryuk ransomware attacks on hospitals and public health sector organizations. Credible evidence had been uncovered suggesting attacks on hospitals and other healthcare providers would likely increase.

Healthcare organizations are being advised to take steps to secure their networks from attacks. Indicators of compromise have been published along with mitigation measures to help prevent attacks and identify attacks in progress. Further information on the advisory along with the steps that should be taken to harden defenses can be found here.

The post Sky Lakes Medical Center and St. Lawrence Health System Attacked with Ransomware appeared first on HIPAA Journal.

Sonoma Valley Hospital in California experienced a computer security incident on October 11, 2020 which took its computer systems offline and caused “a significant downtime event.”

The hospital implemented its business continuity plan which allowed care to continue to be provided to patients while its computer systems were out of action. Throughout the incident its emergency department remained available and elective and necessary surgeries continued to be performed. The majority of diagnostic services continued without interruption, although the incident did cause disruption for some patients. The patient portal has remained available throughout, although new results have not been posted since October 11.

An investigation into the incident was immediately launched and third-party cybersecurity experts were engaged to assist with the investigation and recovery efforts. No information on the exact cause of the incident have been released to date, including whether ransomware was involved, and it is not yet known if any patient data was compromised.

Lycoming-Clinton Joinder Board Uncovers Further Data Breach

Lycoming-Clinton Joinder Board (LCJB), which runs programs providing services to individuals with mental illness or intellectual disabilities in Lycoming and Clinton Counties in Pennsylvania, is alerting 14,500 patients that some of their protected health information has potentially been compromised.

On August 10, 2020, while investigating an earlier data breach, LCJB discovered the email accounts of three employees had been accessed by an unauthorized individual. An analysis of the email accounts confirmed they contained patient information, but it was not possible to determine if any information in the accounts had been viewed or obtained by unauthorized individuals.

Information in the accounts varied from patient to patient and may have included names, addresses, dates of birth, medical record numbers, health insurance numbers, medical histories (including diagnoses, substance abuse, lab tests and results, mental or physical health evaluations, and treatment or provider information), costs of care, or circumstances of abuse. A limited number of Social Security numbers were also exposed.

The investigation confirmed the three email accounts were intermittently accessed by an unauthorized individual between August 5, 2020 and August 10, 2020. The earlier breach, which was discovered on June 23, 2020, was also an email security incident, which affected two employee email accounts. Those accounts were accessed by an unauthorized individual between June 19, 2020 and June 23, 2020 and contained the records of 3,905 patients. While there were similarities between both incidents, it was not possible to tell if the same individual was responsible.

In response to the incidents, LCJB has taken several steps to improve email security, including increasing password complexity, implementing 2-factor authentication for remote access, restricting access to systems to users within the United States, and enhancing its cybersecurity training program for staff members. Policies and procedures have also been developed and implemented that require personal information to be securely deleted regularly from the email system and the network.

1,700 Patients of Coast Dental Notified About Possible Theft of PHI

Tampa, Florida-based Coast Dental has started notifying 1,700 patients that records containing their protected health information are missing and have potentially been stolen.

A moving truck containing equipment and patient records was stolen from a parking lot in Atlanta, GA during the night of 6/7 August 2020. The theft was reported to the police department and the truck was recovered and impounded the following day. The truck was locked to secure the contents until the vehicle was released by the police department. An inventory of the contents of the truck was conducted between August 26-28, 2020 which revealed patient records were missing.

On October 13, 2020, notification letters were sent to all patients whose records may have been stolen and, out of an abundance of caution, patients whose Social Security number was potentially compromised have been offered complimentary credit monitoring services.

In response to the incident, Coast Dental has re-educated its workforce and has refined processes to better secure patient information.

The post Sonoma Valley Hospital Suffers Significant EHR Downtime Event appeared first on HIPAA Journal.

Michigan-based Dickinson County Health has suffered a malware attack that has taken its EHR system offline. The attack has forced the health system to adopt EHR downtime procedures and record patient data using pen and paper. The attack commenced on October 17, 2020 and disrupted computer systems at all its clinics and hospitals in Michigan and Wisconsin.

Systems were shut down to contain the malware and third-party security experts have been retained to investigate the breach and restore its systems and data. While the attack caused considerable disruption, virtually all patient services remained fully operational. It is currently unclear whether patient data were accessed or stolen by the attackers.

“We are treating this matter with the highest priority and are responding by using industry best practices while implementing aggressive protection measures,” said Chuck Nelson, DCHS CEO. “While we investigate, our top priority is maintaining our high standards for patient care throughout our system.”

25,000 Individuals Potentially Impacted by Passavant Memorial Homes Security Breach

Passavant Memorial Homes Family of Services (PMHFOS), a Pennsylvania-based provider of support services for individuals with intellectual disabilities, autism, and behavioral health needs, has experienced a security breach in which the protected health information of its clients may have been compromised.

The incident occurred on August 15, 2020. An unauthorized individual used the contact form on its website to send a message to an authorized user confirming a username and password had been obtained that gave access to its systems. The message alerted PMHFOS to the vulnerability and the individual claimed no malicious actions were taken.

The breach was investigated by a third-party computer forensics experts who determined that malware had not been installed and no files had been encrypted; however, it was not possible to determine whether any individually identifiable information had been accessed or exfiltrated.  Scans were conducted on the dark web to determine whether any client information had been released, but no information was found. A review of the systems that were accessible revealed they contained the PHI of 25,000 individuals.

In response to the breach PMHFOS disabled the compromised account, performed a system-wide password reset, provided further security awareness training to employees, and updated its network security measures. Two-factor authentication has also been implemented. The breach was reported to law enforcement and PMHFOS’ cyber insurance carrier.

Email Error Exposed Email Addresses of Michigan Medicine Patients

Ann Arbor-MI-based Michigan Medicine has started notifying 1,062 patients that their names, email addresses, and limited health information may have been accessed by unauthorized individuals.

Michigan Medicine sent an email communication in late September to patients advising them about an Inflammatory bowel Disease event; however, the email addresses of patients were not added to the blind carbon copy (BCC) field and could therefore be viewed by all other individuals on the mailing list.

The email did not contain highly sensitive information, although it may have been possible to determine the names of patients from their email addresses and the email identified individuals as suffering from inflammatory bowel disease.

When the error was discovered, separate emails were sent to all individuals on the mailing list informing them about the error and instructing them to delete the first email. Letters were also sent to affected patients on October 16. Michigan Medicine has now changed its procedures for emailing patients to prevent similar errors in the future.

The post Dickinson County Health Suffers Ransomware Attack appeared first on HIPAA Journal.

Piedmont Cancer Institute (PCI) in Atlanta, GA is notifying 5,226 patients that some of their protected health information may have been viewed or obtained by an unauthorized individual who gained access to the email account of one of its employees.

Assisted by a third-party cybersecurity firm, PCI determined the email account was compromised for more than a month, with the unauthorized individual first accessing the account on April 5, 2020. The account was secured on May 8, 2020.

A review of the compromised account concluded on August 8, 2020 and revealed it contained a variety of protected health information. In addition to names, affected patients had one or more of the following data elements exposed: date of birth, medical information such as diagnosis and treatment information, financial account information, and/or credit/debit card number.

To prevent further breaches, PCI has implemented multi-factor authentication on its email accounts and has provided further training to the workforce on email security.

Potential Data Breach Discovered by McLaren Oakland Hospital

McLaren Oakland Hospital in Pontiac, MI has discovered the protected health information of 2,219 patients has been exposed and may have been accessed by unauthorized individuals.

On July 10, 2020, McLaren Oakland became aware that a computer desktop file contained an unauthorized and unsecure link to a file containing the protected health information of current and former patients.

No evidence was found to indicate any of the PHI in the file had been viewed by unauthorized individuals and no reports have been received indicating any misuse of patient information. Affected individuals have been advised to monitor their accounts and credit reports for any sign of misuse of their information as a precaution. Affected individuals have also been offered complimentary membership to identity theft protection and monitoring services.

Upon discovery of the PHI exposure, the link was disabled. The investigation revealed the link had been inadvertently rendered insecure by an employee. McLaren Oakland has reviewed its policies and procedures with staff and additional training on patient privacy and data security has been provided to employees.

Patient Records Stolen from Edmonds, WA Health and Wellness Clinic

The Health and Wellness Clinic in Edmonds, WA, a provider of “natural medicine and physical care solutions,” has suffered a break-in in which patient records were stolen.

A storage room located off the massage suite at the clinic and had a locked external door which was forced open by a burglar over the weekend of August 29-30. The room appeared to have been searched, papers had been removed from some of the files, and a box of files was discovered to be missing. The stolen records contained information such as names, dates of birth, Social Security numbers, health histories, and treatment information.

The break-in was reported to the police department which conducted an investigation that has resulted in the identification of a suspect and the box of stolen records has now been recovered. It is currently unclear how many records were taken from the clinic.

The post Piedmont Cancer Institute Phishing Attack Impacts 5,000 Patients appeared first on HIPAA Journal.

Universal Health Services has confirmed that all 250 of its hospitals in the United States are back up and running after a suspected ransomware attack that knocked out its systems for 3 weeks. The attack started on or around September 27, 2020. All systems were brought back online by October 12. An update was posted on the UHS website this week saying, “With back-loading of data substantially complete at this point, hospitals are resuming normal operations.”

While systems were down, clinicians were forced to work on pen and paper in order to continue providing care for patients and, at some locations, patients had to be diverted to alternate facilities to receive treatment.

The health system reported the security breach as a malware attack which forced it to shut down its network; however, several insiders took to Reddit to voice their concerns and explain that this was a ransomware attack. Based on the data posted by those insiders, the attack appeared to have involved Ryuk ransomware. The operators of Ryuk ransomware are known to exfiltrate data prior to the deployment of ransomware; however, UHS maintains that no evidence has been found to indicate employee or patient data were accessed, copied, or misused.

Sen. Mark Warner, D-VA has written to UHS Chairman and CEO Alan Miller seeking answers to several questions about the attack and the cybersecurity measures that had been put in place to prevent and limit the severity of a ransomware or malware attack. In the letter, Sen. Warner said he had “grave concerns about United Health Services’ digital medical records and clinical healthcare operations succumbing to an apparent ransomware attack.”

UHS serves more than 3.5 million patients each year across its 250 hospitals and is one of the largest hospital operators in the United States. “With the full resources of a Fortune 500 company receiving over $11 billion in annual revenue, UHS’s patients expect and deserve that their provider’s cybersecurity posture to be sufficiently mature and robust to prevent major interruptions to health care operations,” said Sen. Warner.

Sen. Warner questioned whether UHS had segmented its network to prevent the lateral movement of hackers and stop an attack from spreading to affect all facilities. Sen. Warner also questioned whether clinical medical devices had been isolated from administrative systems and networks to ensure that in the event of a cyberattack those devices would not be interrupted.

In light of the posts made by insiders, Sen. Warner asked if UHS paid a ransom for the keys to decrypt files, whether any patient data was rendered inaccessible as a result of the attack, and if any healthcare data was exfiltrated from UHS owned or operated facilities.

Sen. Warner is seeking answers to those and other questions about UHS cybersecurity practices within 2 weeks.

The post Sen. Warner Seeks Answers about Suspected Universal Health Services Ransomware Attack appeared first on HIPAA Journal.

Legacy Community Health Services in Texas is alerting 228,009 patients about a data breach involving some of their protected health information (PHI). The PHI was stored in an email account that was accessed by an unauthorized individual.

The breach was detected on July 29, 2020, one day after an employee responded to a phishing email and disclosed login credentials to the attacker. The account was immediately secured and a computer forensics firm was engaged to assist with the investigation.

No evidence was found to indicate emails were viewed by the attacker or that electronic protected health information was stolen, although the possibility of data theft could not be totally discounted. The compromised email account contained patient names, dates of service, and health information related to care at Legacy, along with a limited number of Social Security numbers. Complimentary membership to a credit monitoring and identity protection service was been offered to individuals whose SSN was compromised.

Email security has been reinforced since the attack and the staff has been retrained on identifying and avoiding phishing emails.

Georgia Department of Human Services Discovers Breach of Multiple Employee Email Accounts

The email accounts of several employees of the Georgia Department of Human Services have been accessed by unauthorized individuals. The email accounts contained the personal and protected health information of parents and children who were involved in Child Protective Services (CPS) cases with the DHS Division of Family & Children Services (DFCS).

The Georgia Department of Human Services learned in August that the attackers potentially accessed emails containing personal and health information. The breach investigation revealed access to the email accounts was gained between May 3, 2020 and May 15, 2020.

The types of data exposed varied from individual to individual and may have included full names, names of household members, relationship to the child receiving services, county of residence, DFCS case number, DFCS identification numbers, date of birth, age, number of times contacted by DFCS, an identifier of whether face-to-face contact was medically appropriate, phone numbers, email addresses, social security number, Medicaid identification number, Medicaid medical insurance identification number, medical provider name and appointment dates.

Psychological reports, counseling notes, medical diagnoses, and substance abuse information relating to 12 individuals were also included in the compromised email accounts, along with one individual’s bank account information.

VOXX International Suffers Ransomware Attack

VOXX International Corporation has confirmed it suffered a ransomware attack on July 7, 2020 in which the protected health information of members of its benefit plans was potentially compromised. Information stored in files on the affected servers included names, addresses, email addresses, dates of birth, Social Security numbers, financial account numbers, and/or health insurance information of current and former employees and their dependents and beneficiaries.

An investigation into the attack revealed the attackers had access to the servers between June 4, 2020 and July 7, 2020 and prior to the deployment of ransomware, some of the files on the servers were accessed by the attackers. The review of the files revealed they contained the PHI of 6,034 individuals.

VOXX has now implemented an endpoint threat detection and response tool and is taking other measures to enhance the security of its network. All affected individuals have been offered complimentary membership to Experian’s IdentityWorks identity theft resolution services.

Einstein Healthcare Network Suffers Phishing Attack

1,821 patients of Philadelphia, PA-based Einstein Healthcare Network are being notified that some of their protected health information has potentially been accessed by unauthorized individuals who gained access to certain employee email accounts. The email security breach was detected on August 10, 2020. The investigation revealed the attacker gained access to email accounts between August 5 and August 17, 2020.

A review of the compromised email accounts revealed they contained patients’ names, dates of birth, medical record or patient account numbers, and/or treatment or clinical information, such as diagnoses, medications, providers, types of treatment, or treatment locations. Certain patients also had their health insurance information and/or Social Security number exposed.

It was not possible to determine if any emails were accessed or copied by the attackers, but since data theft could not be ruled out, patients whose Social Security number was exposed have been offered a 1 year complimentary membership to credit monitoring and identity protection services.

Einstein Healthcare Network has re-trained employees on how to identify and avoid suspicious emails and steps have been taken to improve the security of its email environment.

The post 228,000 Individuals Impacted by Legacy Community Health Services Phishing Attack appeared first on HIPAA Journal.