Merck Reaches Settlement with Insurers over $1.4 Billion NotPetya Malware Attack

Posted by Steve Alder

The Pharmaceutical giant Merck has finally obtained a settlement with its insurance policy providers over a June 2017 cyberattack that Merck claimed resulted in $1.4 billion in damages. Merck was infected with the infamous NotPetya wiper malware – a malware variant that appeared to be ransomware but was in fact a wiper. The malware has been linked to Russian state-sponsored hackers and was used to attack targets in Ukraine, but attacks occurred globally, resulting in an estimated $10 billion in losses worldwide.

Merck was badly hit by the attack and claimed that 40,000 of its computers were wiped by NotPetya malware, and when it tried to recover those losses under its ‘all-risk insurance policies, its insurers refused to pay out, claiming the cyberattack was excluded as the policy did not cover acts of war.

Merck challenged the decision and maintained that the exclusions in its insurers’ policies did not apply to NotPetya and a trial court judge ruled in Merck’s favor. After examining the language of the war exclusion of the policies, the history of how war exclusions have been interpreted in the past, and the nature of the all-risk policy, the trial court concluded that the cyberattack could not be excluded. The trial court’s decision was affirmed in May 2023 by a state appellate court.

The language of war exclusion did not include any reference to cyberwarfare or cyberattacks and the insurers failed to demonstrate that the NotPetya cyberattack on Merck was a hostile or warlike action, therefore the war exclusion did not apply and Merck was entitled to recover approximately $700 million of its losses. Ultimately, if the insurers had wanted to exclude certain types of cyberattacks from their coverage, they should have included language to that effect in their policies.

The insurers challenged the decision of the appellate court and sought to have the decision reversed by a New Jersey Supreme Court; however, this month, they decided to drop the appeal and reached a settlement with Merck over the claims. Had the case been resolved through the courts in the insurers’ favor, a legal precedent would have been set that would have had implications for all cyber insurance claims; however, since the legal challenge has been resolved with a confidential settlement, that is not the case. That said, insurers are likely to tighten up the language of their policies to make it clear exactly what types of cyberattacks will and will not be covered by their policies.

The post Merck Reaches Settlement with Insurers over $1.4 Billion NotPetya Malware Attack appeared first on HIPAA Journal.

Singing River Health System Confirms Ransomware Attack Affected 253,000 Patients

Posted by Steve Alder

Singing River Health System has confirmed that the PHI of 253,000 patients was compromised in an August 2023 ransomware attack.  Data breaches have also been reported by Highlands Oncology Group, Fincantieri Marine Group, Senior Scripts, and Family Healthcare.

Singing River Health System

Singing River Health System in Mississippi experienced a ransomware attack in August 2023 that took its IT systems out of action for several days, including its electronic medical record system. Without access to patient data and essential IT systems, operations were disrupted, although care continued to be provided to patients throughout. The Rhysida ransomware group claimed responsibility for the attack.

The attack was detected on August 19, 2023, and the forensic investigation confirmed there had been unauthorized network access between August 16 and August 18, 2023. When the initial announcement about the attack was made, it was unclear if any patient data had been compromised and as the deadline for reporting the breach to the HHS’ Office for Civil Rights approached it was still unclear exactly how many patients had been affected, so the breach was reported with an interim figure of 501 individuals.

On September 13, 2023, Singing River Health System confirmed that data had been exfiltrated from its systems, and an update was provided on October 18, 2023; although the extent of the breach had still not been confirmed. On December 18, 2023, Singing River Health System confirmed that the protected health information of 252,890 patients had been compromised. The data involved included names, dates of birth, addresses, Social Security numbers, medical information, and health information.

Notification letters were mailed to the affected individuals on January 12, 2023, and the affected patients have been offered complimentary credit monitoring and identity theft protection services.

Highlands Oncology Group

Highlands Oncology Group in Arkansas experienced a ransomware attack in September 2023. The attackers gained access to parts of its network that contained the protected health information of 55,297 patients. The attack was detected on September 26, 2023, and immediate action was taken to isolate its network to prevent further unauthorized access. The forensic investigation confirmed the attackers had access to its network between September 25, 2023, and September 26, 2023, and that files may have been acquired before ransomware was used to encrypt files.

The review confirmed on November 27, 2023, that the following types of information may have been accessed or acquired in the attack: name, date of birth, Social Security number, driver’s license/state ID number, passport number, military ID number, financial account number, credit/debit card number with and without expiration date and security code, health insurance information, and clinical information, such as diagnosis/conditions, lab results, and prescription information.

While no cases of identity theft or fraud have been tied to the incident, as a precaution, individuals whose Social Security numbers and/or driver’s license/state ID numbers were involved have been offered complimentary identity theft protection services.

Fincantieri Marine Group

Fincantieri Marine Group, LLC, the U.S. arm of the Italian shipbuilder, has confirmed that the protected health information of 11,535 members of its group health plan had their data compromised in an April 2023 ransomware attack. Fincantieri said the attack was detected on April 12, 2023, and the outage caused significant production disruption, as it affected servers that fed information to machines used for welding, cutting, and other manufacturing processes, which were taken out of action for several days.

Fincantieri announced the attack in April 2023; however, the extent of the attack was unclear at the time. It was since confirmed that the attackers had access to its network between April 6, 2023, and April 12, 2023, and during that period, files were exfiltrated from its network. Fincantieri’s review of the files on the affected part of its network confirmed on November 6, 2023, that the data of 16,769 individuals had been exposed and potentially stolen, including 11,535 members of its group health plan. The affected individuals were notified about the incident on January 5, 2023, and 2 years of complimentary credit monitoring services have been offered.

Senior Scripts

Midwest Long Term Care Services, which does business as Senior Scripts, recently confirmed that the protected health information of 10,566 patients was compromised in a security incident that disrupted some of its IT systems. The cyberattack was detected and blocked on October 20, 2023, and the forensic investigation confirmed that the attackers first accessed its system on October 8, 2023. Files containing patient data were potentially removed from its network that included information such as names, contact information, insurance information, dates of birth, prescription information, and Social Security numbers. Network monitoring capabilities have been enhanced and security measures will continue to be reviewed and improved to prevent similar incidents in the future.

Family Healthcare

Family Healthcare in North Dakota has recently announced that it has been affected by a data breach at its business associate Brady Martz & Associates. Brady Martz & Associates is a North Dakota-based provider of tax-related services, audit and financial guidance, and bookkeeping and payroll assistance.

Brady Martz & Associates was provided with the data of Family Healthcare employees and certain patients in order to complete its contracted duties, which included auditing patient billing documents. Brady Martz & Associates promptly detected a security breach in November 2022 and engaged cybersecurity experts to investigate to determine the extent of the breach, which was discovered to have affected more than 53,000 individuals. The breach was announced by Brady Martz & Associates on September 8, 2023.

According to Brady Martz & Associates, the information exposed and potentially compromised in the attack included patient and/or employee names, dates of birth, ages, phone numbers, financial account information, health insurance information, patient account numbers, Social Security numbers, and information regarding care received at Family HealthCare facilities. It is unclear how many Family Healthcare patients were affected and why it took until January 11, 2024, for Family Healthcare to publicly announce the breach.

The post Singing River Health System Confirms Ransomware Attack Affected 253,000 Patients appeared first on HIPAA Journal.

Electrostim Medical Services Data Breach Impacts 543,000 Patients

Posted by Steve Alder

The Florida medical device company Electrostim Medical Services, Inc., which does business as EMSI, has recently confirmed that it suffered a cyberattack in May 2023 which involved access to parts of the network containing patient data. The Electrostim Medical Services data breach has recently been reported to the HHS’ Office for Civil Rights as affecting 542,990 patients.

Suspicious activity was detected within its network on May 13, 2023, and after securing its systems, third-party cybersecurity specialists were engaged to assess the nature and scope of the incident. The investigation confirmed that unauthorized individuals had access to its network for around two weeks between April 27, 2023, and May 13, 2023. While data theft was not confirmed, the unauthorized individuals had access to parts of the network containing patients’ protected health information and that information may have been copied. Electrostim Medical Services said it has not learned of any instances of attempted or actual misuse of patient data as a result of the security incident.

The breach notifications explained that the delay in notifications was due to an extensive review of its network to determine the individuals and data types involved, and a review of internal records to identify contact information to allow notification letters to be sent. The types of information involved varied from individual to individual and may have included the following: name, address, email address, phone number(s), diagnosis, insurance information, subscriber number, and product(s) prescribed and billed.

Electrostim Medical Services said notification letters were mailed in late December and steps have been taken to improve network security.

The post Electrostim Medical Services Data Breach Impacts 543,000 Patients appeared first on HIPAA Journal.