Des Moines Orthopaedic Surgeons Notifies Patients About February 2023 Data Breach

Posted by Steve Alder

Des Moines Orthopaedic Surgeons (DMOS) in Iowa has recently notified 307,864 current and former patients that some of their protected health information (PHI) was exposed in a cyberattack almost a year ago. DMOS explained that the incident occurred on or around February 17, 2023, and allowed an unauthorized third party to access and/or remove files containing the PHI of DMOS patients. DMOS said the breach was due to the failure of one of its vendors.

DMOS said it immediately contained the threat and engaged third-party cybersecurity experts to investigate the incident to determine the extent of compromise. According to the notification letters, “DMOS devoted considerable time and effort to assessing the extent and scope of the incident and to determine what information may have been accessible to the unauthorized users.” It took 10 months to determine that patient data was present in the documents and records involved, with PHI exposure not confirmed until December 6, 2023.

The types of data involved included names along with one or more of the following: Social Security number, date of birth, driver’s license numbers, state identification numbers, passports, direct deposit bank information, medical information, and health insurance information. Notification letters were mailed on January 22, 2024, and individuals whose Social Security numbers were exposed have been offered complimentary credit monitoring and identity theft protection services.

Michigan Orthopaedic Surgeons Email Account Breach Affects 67,000 Patients

Michigan Orthopaedic Surgeons has recently notified 67,477 patients that some of their PHI was present in an email account that was accessed by unauthorized individuals. Suspicious activity was detected in the email account on or around June 29, 2023. A third-party forensic security company was engaged to investigate the incident and confirmed the email account had been accessed by an unauthorized individual between May 5, 2023, and June 21, 2023.

A comprehensive review of the account was initiated, and it was determined on October 20, 2023, that protected health information was present in the account. The types of information varied from individual to individual and may have included names in combination with one or more of the following: date of birth, Social Security number, financial account number, username and password, health insurance information, and medical information, such as diagnosis, lab results, and prescription information. Individual notifications were mailed on December 19, 2023, and complimentary credit monitoring services have been provided to the individuals who had their Social Security numbers exposed.

Prestige Care Suffers Ransomware Attack

Prestige Care, Inc., a Vancouver, WA-based senior care organization, has recently notified 38,087 individuals that some of their personal and protected health information was potentially accessed or acquired in a September 2023 ransomware attack. The attack was detected on September 7, 2023, with the investigation determining that malware had been installed that prevented access to certain files on its system. The investigation confirmed that the threat actor had access to files containing personal and health information on September 7.

The file review confirmed on December 18, 2023, that those files included names and Social Security numbers. Notification letters started to be sent to the affected individuals on January 31, 2024. Complimentary credit monitoring services have been offered for 12 months.

Bay Area Heart Center Impacted by Phishing Attack on Business Associate

Bay Area Heart Center in St. Petersburg, FL has confirmed that patient data was exposed in a cyberattack at the law firm Bowden Barlow Law, P.A., which Bay Area Heart Center uses for collections. An employee at the law firm responded to a phishing email, which provided the attacker with access to one of the law firm’s servers between November 17, 2023, and December 1, 2023. Bay Area Heart Center was notified about the breach on December 27, 2023.

The investigation found no evidence to suggest data had been downloaded, but data theft could not be ruled out. The exposed data included names, addresses, full and partial Social Security Numbers, dates of service, limited claims data, and insurance policy numbers. “Bay Area Heart Center takes this matter extremely seriously and is equally frustrated that its patient files were compromised by a third-party vendor,” explained the healthcare provider in its breach notice. “Given the potential impact this breach could have on patients, and in furtherance of its commitment to safety and security, the medical practice is currently reevaluating its partnership with Bowden Barlow Law.” Bay Area Heart Center said it has offered the affected individuals a one-year membership to a credit monitoring service.

Northern Light Health Says Patient Data Not Compromised in Cyberattack

On February 4, 2024, Northern Light Health in Brewer, ME, announced that it was forced to take its patient records system offline on February 3, 2024, after discovering certain computers had been compromised in a cyberattack.  Northern Light Health explained that none of the affected computers stored any patient data, and that the patient record system was taken offline while the incident was investigated. Northern Light Health said no third party has made contact demanding a ransom and the decision to take patient records offline was taken out of an abundance of caution. Downtime procedures were initiated immediately, and patient care was not disrupted.

Daily updates were provided on its website and on February 5, 2024, Northern Light Health said its medical record system was back online. The incident is still being investigated and there are still no indications that patient data was exposed.

The post Des Moines Orthopaedic Surgeons Notifies Patients About February 2023 Data Breach appeared first on HIPAA Journal.

Emerging Ransomware Groups Disproportionately Attack Healthcare Orgs

Posted by Steve Alder

Ransomware activity almost doubled in 2023 according to the annual GuidePoint Research and Intelligence Team (GRIT) Ransomware Report. The GRIT team identified 4,519 victims of ransomware attacks in 2023 up from 2,507 in 2022. The United States was the most targeted country accounting for 49% of attacks, with 8 out of the 10 most impacted countries located in North America or Europe. On average, 12.4 victims were posted on data leak sites each day in 2023, an 80.1% increase in public postings from 2022. While the increase was largely driven by mass exploitation campaigns, these attacks only accounted for 5% of total victims in 2023, showing there was also a significant increase in ransomware activity overall.

The main ransomware players in 2023 were LockBit, Alphv, and Clop, with LockBit by far the most active, having conducted more attacks than Alphv and Clop combined. These established groups conducted 85% of attacks and used well-defined tactics. They are also drivers of innovation and tactical change across the ransomware ecosystem with emerging and developing groups tending to copy the new tactics developed by the established groups to improve the effectiveness and efficiency of their attacks. The more established groups are more likely to exploit critical and high-severity vulnerabilities as it provides them with a reliable way of exploiting victims at scale, as was seen with Clop in 2023, which exploited zero-day vulnerabilities in two file transfer solutions Fortra’s GoAnywhere MFT and Progress Software’s MOVEit Transfer solution.

These groups may conduct the majority of attacks, but there were another 60 smaller ransomware groups that were active in 2023.  Emerging and developing ransomware groups are much more likely to target healthcare organizations than established groups. Historically, healthcare has been considered off-limits for some ransomware programs due to the negative press coverage and extra attention from law enforcement agencies, although established groups increased the number of attacks on healthcare organizations in 2023. Attacks on the sector may also increase further in 2024. AlphV claimed not to permit attacks on the sector but removed the restrictions for affiliates following the law enforcement takedown of its data leak site late last year.

With fewer victims paying ransoms, ransomware groups have been forced to develop new tactics to coerce victims. The BlogXX group, which attacked an Australian health insurer in late 2022, proceeded to leak patient data when the ransom wasn’t paid, including lists of patients who had abortion procedures and mental health treatment. AlphV similarly chose to pile on the pressure by publishing photographs of cancer patients. ALphV also started filing complaints with the U.S. Securities and Exchange Commission (SEC) about omissions and misstatements in victims’ SEC filings and the failure to report attacks within the required 4 days. The were also multiple cases of patients being contacted directly by ransomware groups and told they needed to pay to have their data deleted after their healthcare provider refused to pay the ransom.

The GRIT Team expects 2024 will see an increase in posted ransomware victims and an increase in novel coercive tactics, but no change in law enforcement takedowns and arrests. G9overnents and law enforcement agencies are expected to increase efforts to discourage the payment of ransom but it is unlikely that there will be significant movement on banning ransom payments altogether.

The post Emerging Ransomware Groups Disproportionately Attack Healthcare Orgs appeared first on HIPAA Journal.